From 6aac6637405bc2237480656ab2059fabaf538eb1 Mon Sep 17 00:00:00 2001
From: dluxtron <106139814+dluxtron@users.noreply.github.com>
Date: Thu, 8 Aug 2024 15:19:08 +1000
Subject: [PATCH] updating datasets

---
 .../T1222.001/dacl_abuse/dacl_abuse.yml             |  1 +
 ...icious_acl_modification-windows-security-xml.log |  3 +++
 .../gpo_modification/group_policy_created.yml       |  1 +
 .../group_policy_deleted/group_policy_deleted.yml   | 13 +++++++++++++
 .../group_policy_deleted/windows-admon.log          |  3 +++
 .../group_policy_deleted/windows-security.log       |  3 +++
 .../group_policy_disabled/group_policy_disabled.yml | 13 +++++++++++++
 .../group_policy_disabled/windows-admon.log         |  3 +++
 .../group_policy_disabled/windows-security.log      |  3 +++
 .../group_policy_new_cse/group_policy_new_cse.yml   | 13 +++++++++++++
 .../group_policy_new_cse/windows-admon.log          |  3 +++
 .../group_policy_new_cse/windows-security.log       |  3 +++
 .../DCShadowPermissions/windows-security-xml.log    |  4 ++--
 13 files changed, 64 insertions(+), 2 deletions(-)
 create mode 100644 datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log
 create mode 100644 datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml
 create mode 100644 datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log
 create mode 100644 datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log
 create mode 100644 datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml
 create mode 100644 datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log
 create mode 100644 datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log
 create mode 100644 datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml
 create mode 100644 datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log
 create mode 100644 datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log

diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml
index a7fb64a9..222a468b 100644
--- a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml
@@ -11,6 +11,7 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log
 sourcetypes:
 - XmlWinEventLog
 references:
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log b/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log
new file mode 100644
index 00000000..d2ccb3d5
--- /dev/null
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4ac98ac3b2f8f1a70fba88b0f2d3c560be6b7bd5b78442f846b6fca04c4b4a16
+size 27526
diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml b/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml
index ba6d6129..8b8af823 100644
--- a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml
+++ b/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml
@@ -7,6 +7,7 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_deletion_windows-security-xml.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_disabled_windows-security-xml.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_new_cse_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log
 sourcetypes:
 - XmlWinEventLog
 references:
diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml b/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml
new file mode 100644
index 00000000..5d4de3d7
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml
@@ -0,0 +1,13 @@
+author: Dean Luxton
+id: 01da8fac-17b1-4cc2-9a10-b6ae92dd3d9f
+date: '2024-08-07'
+description: Manually deleting an active directory GPO using the Group Policy Management Console. 
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log
+sourcetypes:
+- XmlWinEventLog
+- ActiveDirectory
+references:
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log
new file mode 100644
index 00000000..7a19f13c
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9ce24202106e5e1ae492258a5211bbd2a6d961fa91b1b24c746999374bebf8bb
+size 1117
diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log
new file mode 100644
index 00000000..48212b0d
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d061522eef597679ada26b0580687d38e8bede3895f1e975df538b25e0499dec
+size 3801
diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml b/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml
new file mode 100644
index 00000000..2ad2b6d2
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml
@@ -0,0 +1,13 @@
+author: Dean Luxton
+id: b750cea1-b7eb-4ec3-9f6c-7bfec1b7701c
+date: '2024-08-07'
+description: Manually disabling an active directory GPO using the Group Policy Management Console. 
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log
+sourcetypes:
+- XmlWinEventLog
+- ActiveDirectory
+references:
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log
new file mode 100644
index 00000000..84ac739f
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8b9d67957273186e7aac339508b036a4f84f747a2eb8980abae4a8686119b729
+size 1153
diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log
new file mode 100644
index 00000000..ae30dc0a
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b3f947cdc16b83c88123eefa289f113a9fc8fc384c146503e0283682de2dd387
+size 2887
diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml b/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml
new file mode 100644
index 00000000..0309b268
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml
@@ -0,0 +1,13 @@
+author: Dean Luxton
+id: ec16d55d-c0c6-496c-a27f-620ec19db5e5
+date: '2024-08-08'
+description: Manually adding a new client side extension to an existing an active directory group policy using the Group Policy Management Console. 
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log
+sourcetypes:
+- XmlWinEventLog
+- ActiveDirectory
+references:
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log
new file mode 100644
index 00000000..90594758
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e6a95b12f7cf520acc039c756e5370eb1a82a87539a7854a8020da2bda80a89
+size 2559
diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log
new file mode 100644
index 00000000..af8ecd10
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a9e9c0dc4508cfa3e9120071a04aa7c1570d10ab3267d84105bfd152cef3294
+size 8913
diff --git a/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log b/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log
index 8af71e52..6c481ac2 100644
--- a/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log
+++ b/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:98968c96049d919758ee345e7b143c6e94c463da14b41e85252a279b87fd44e1
-size 3742
+oid sha256:195cfc6229784b841f0c0e663f2434dd547a57c550cfbfa546fb814b023ddda2
+size 11300