diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml index a7fb64a9..222a468b 100644 --- a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml +++ b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml @@ -11,6 +11,7 @@ dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log sourcetypes: - XmlWinEventLog references: diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log b/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log new file mode 100644 index 00000000..d2ccb3d5 --- /dev/null +++ b/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ac98ac3b2f8f1a70fba88b0f2d3c560be6b7bd5b78442f846b6fca04c4b4a16 +size 27526 diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml b/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml index ba6d6129..8b8af823 100644 --- a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml +++ b/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml @@ -7,6 +7,7 @@ dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_deletion_windows-security-xml.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_disabled_windows-security-xml.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_new_cse_windows-security-xml.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log sourcetypes: - XmlWinEventLog references: diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml b/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml new file mode 100644 index 00000000..5d4de3d7 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml @@ -0,0 +1,13 @@ +author: Dean Luxton +id: 01da8fac-17b1-4cc2-9a10-b6ae92dd3d9f +date: '2024-08-07' +description: Manually deleting an active directory GPO using the Group Policy Management Console. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log +sourcetypes: +- XmlWinEventLog +- ActiveDirectory +references: +- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log new file mode 100644 index 00000000..7a19f13c --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9ce24202106e5e1ae492258a5211bbd2a6d961fa91b1b24c746999374bebf8bb +size 1117 diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log new file mode 100644 index 00000000..48212b0d --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d061522eef597679ada26b0580687d38e8bede3895f1e975df538b25e0499dec +size 3801 diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml b/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml new file mode 100644 index 00000000..2ad2b6d2 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml @@ -0,0 +1,13 @@ +author: Dean Luxton +id: b750cea1-b7eb-4ec3-9f6c-7bfec1b7701c +date: '2024-08-07' +description: Manually disabling an active directory GPO using the Group Policy Management Console. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log +sourcetypes: +- XmlWinEventLog +- ActiveDirectory +references: +- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log new file mode 100644 index 00000000..84ac739f --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8b9d67957273186e7aac339508b036a4f84f747a2eb8980abae4a8686119b729 +size 1153 diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log new file mode 100644 index 00000000..ae30dc0a --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b3f947cdc16b83c88123eefa289f113a9fc8fc384c146503e0283682de2dd387 +size 2887 diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml b/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml new file mode 100644 index 00000000..0309b268 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml @@ -0,0 +1,13 @@ +author: Dean Luxton +id: ec16d55d-c0c6-496c-a27f-620ec19db5e5 +date: '2024-08-08' +description: Manually adding a new client side extension to an existing an active directory group policy using the Group Policy Management Console. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log +sourcetypes: +- XmlWinEventLog +- ActiveDirectory +references: +- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory \ No newline at end of file diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log new file mode 100644 index 00000000..90594758 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2e6a95b12f7cf520acc039c756e5370eb1a82a87539a7854a8020da2bda80a89 +size 2559 diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log new file mode 100644 index 00000000..af8ecd10 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0a9e9c0dc4508cfa3e9120071a04aa7c1570d10ab3267d84105bfd152cef3294 +size 8913 diff --git a/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log b/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log index 8af71e52..6c481ac2 100644 --- a/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log +++ b/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:98968c96049d919758ee345e7b143c6e94c463da14b41e85252a279b87fd44e1 -size 3742 +oid sha256:195cfc6229784b841f0c0e663f2434dd547a57c550cfbfa546fb814b023ddda2 +size 11300