splunk · ljstella · May 2, 2025 · Mar 21, 2025 · Mar 21, 2025 · Mar 21, 2025
diff --git a/.github/validate_dataset_ymls.py b/.github/validate_dataset_ymls.py
@@ -0,0 +1,46 @@
+import datetime
+import pathlib
+import sys
+from enum import StrEnum, auto
+from uuid import UUID
+
+from pydantic import BaseModel, Field, HttpUrl
+
+
+class Environment(StrEnum):
+    attack_range = auto()
+
+
+class AttackDataYml(BaseModel):
+    author: str = Field(..., min_length=5)
+    id: UUID
+    date: datetime.date
+    description: str = Field(..., min_length=5)
+    environment: Environment
+    dataset: list[HttpUrl] = Field(..., min_length=1)
+    sourcetypes: list[str] = Field(..., min_length=1)
+    references: list[HttpUrl] = Field(..., min_length=1)
+
+
+# Get all of the yml files in the datasets folder
+datasets_root = pathlib.Path("datasets/")
+
+
+# We only permit certain filetypes to be present in this directory.
+# This is to avoid the inclusion of unsupported file types and to
+# assist in the validation of the YML files
+ALLOWED_SUFFIXES = [".yml", ".log", ".json"]
+SPECIAL_GIT_GILES = ".gitkeep"
+bad_files = [
+    name
+    for name in datasets_root.glob(r"**/*.*")
+    if name.is_file()
+    and not (name.suffix in ALLOWED_SUFFIXES or name.name == SPECIAL_GIT_GILES)
+]
+
+if len(bad_files) > 0:
+    print(
+        f"Error, the following files were found in the {datasets_root} folder.  Only files ending in {ALLOWED_SUFFIXES} or {SPECIAL_GIT_GILES} are allowed:"
+    )
+    print("\n".join([str(f) for f in bad_files]))
+    sys.exit(1)
diff --git a/.github/workflows/mirror_data_archive.yml b/.github/workflows/mirror_data_archive.yml
@@ -0,0 +1,45 @@
+name: mirror-archive-on-merge-to-default-branch
+
+on:
+  push:
+   branches:
+       - master
+
+jobs:
+  mirror-archive:
+    runs-on: ubuntu-latest
+    env:
+        BUCKET: attack-range-attack-data
+        ATTACK_DATA_ARCHIVE_FILE: attack_data.tar.zstd
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v4
+      # We must EXPLICITLY specificy lfs: true. It defaults to false
+      with:
+        lfs: true
+
+    - name: Setup AWS CLI and Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ secrets.ACCESS_KEY}}
+        aws-secret-access-key: ${{ secrets.SECRET_ACCESS_KEY }}
+        aws-region: us-west-2
+
+    - name: Create archive of ONLY the datasets folder
+      run: | 
+        # The structure of the tar + zstd archive should mirror that of checking out the repo directly
+        mkdir attack_data
+        mv datasets/ attack_data/.
+
+        #Build some metadata about the archive for documentation purposes
+        git rev-parse HEAD > attack_data/git_hash.txt
+        date -u > attack_data/cache_build_date.txt
+
+        # Compress with number of threads equal to number of CPU cores.
+        # Compression level 10 is a great compromise of speed and file size.
+        # File size reductions are diminishing returns after this - determined experimentally.
+        tar -c attack_data | zstd --compress -T0 -10 -o $ATTACK_DATA_ARCHIVE_FILE
+
+    - name: Upload Attack data archive file to S3 Bucket
+      run: |
+        aws s3 cp $ATTACK_DATA_ARCHIVE_FILE  s3://$BUCKET/    
diff --git a/...03/atomic_red_team/windows-sec-events.out → ...03/atomic_red_team/windows-sec-events.log b/...03/atomic_red_team/windows-sec-events.out → ...03/atomic_red_team/windows-sec-events.log
diff --git a/...ables/suspiciously_named_executables.yaml → ...tables/suspiciously_named_executables.yml b/...ables/suspiciously_named_executables.yaml → ...tables/suspiciously_named_executables.yml
diff --git a/...eloginprofile/aws_createloginprofile.yaml → ...teloginprofile/aws_createloginprofile.yml b/...eloginprofile/aws_createloginprofile.yaml → ...teloginprofile/aws_createloginprofile.yml
diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log
diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log.txt b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log.txt
diff --git a/datasets/attack_techniques/T1203/search_activity.log b/datasets/attack_techniques/T1203/search_activity.log
diff --git a/datasets/attack_techniques/T1203/search_activity.txt b/datasets/attack_techniques/T1203/search_activity.txt
diff --git a/....log/linux_auditd_sysmon_service_stop.log → ...stop/linux_auditd_sysmon_service_stop.log b/....log/linux_auditd_sysmon_service_stop.log → ...stop/linux_auditd_sysmon_service_stop.log
diff --git a/.../linux_auditd_sysmon_service_stop.log.yml → ...stop/linux_auditd_sysmon_service_stop.yml b/.../linux_auditd_sysmon_service_stop.log.yml → ...stop/linux_auditd_sysmon_service_stop.yml
diff --git a/datasets/attack_techniques/T1499/splunk/.gitattributes b/datasets/attack_techniques/T1499/splunk/.gitattributes
diff --git a/datasets/attack_techniques/T1548/splunk/local_privesc_via_nodes_default_path.log b/datasets/attack_techniques/T1548/splunk/local_privesc_via_nodes_default_path.log
diff --git a/datasets/attack_techniques/T1548/splunk/local_privesc_via_nodes_default_path.txt b/datasets/attack_techniques/T1548/splunk/local_privesc_via_nodes_default_path.txt
diff --git a/...hniques/T1555.005/linux_auditd_find_password_db.log/linux_auditd_find_password_db.log.txt b/...hniques/T1555.005/linux_auditd_find_password_db.log/linux_auditd_find_password_db.log.txt
diff --git a/...hniques/T1555.005/linux_auditd_find_password_db.log/linux_auditd_find_password_db.log.yml b/...hniques/T1555.005/linux_auditd_find_password_db.log/linux_auditd_find_password_db.log.yml
diff --git a/...t_disabled/sc_service_start_disabled.yaml → ...rt_disabled/sc_service_start_disabled.yml b/...t_disabled/sc_service_start_disabled.yaml → ...rt_disabled/sc_service_start_disabled.yml
diff --git a/datasets/suspicious_behaviour/linux_post_exploitation/LinuxEnumd.log b/datasets/suspicious_behaviour/linux_post_exploitation/LinuxEnumd.log