Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding new datasets - AD DACL Abuse #906

Merged
merged 2 commits into from
Aug 19, 2024
Merged

Adding new datasets - AD DACL Abuse #906

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6aac663
updating datasets
dluxtron Aug 8, 2024
5564ce2
Merge branch 'splunk:master' into master
dluxtron Aug 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log
sourcetypes:
- XmlWinEventLog
references:
Expand Down
3 changes: 3 additions & 0 deletions ...tack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log
View file
Open in desktop
Git LFS file not shown
1 change: 1 addition & 0 deletions datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_deletion_windows-security-xml.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_disabled_windows-security-xml.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_new_cse_windows-security-xml.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log
sourcetypes:
- XmlWinEventLog
references:
Expand Down
13 changes: 13 additions & 0 deletions datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
author: Dean Luxton
id: 01da8fac-17b1-4cc2-9a10-b6ae92dd3d9f
date: '2024-08-07'
description: Manually deleting an active directory GPO using the Group Policy Management Console.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log
sourcetypes:
- XmlWinEventLog
- ActiveDirectory
references:
- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
3 changes: 3 additions & 0 deletions datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log
View file
Open in desktop
Git LFS file not shown
3 changes: 3 additions & 0 deletions datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log
View file
Open in desktop
Git LFS file not shown
13 changes: 13 additions & 0 deletions datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
author: Dean Luxton
id: b750cea1-b7eb-4ec3-9f6c-7bfec1b7701c
date: '2024-08-07'
description: Manually disabling an active directory GPO using the Group Policy Management Console.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log
sourcetypes:
- XmlWinEventLog
- ActiveDirectory
references:
- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
3 changes: 3 additions & 0 deletions datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log
View file
Open in desktop
Git LFS file not shown
3 changes: 3 additions & 0 deletions datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log
View file
Open in desktop
Git LFS file not shown
13 changes: 13 additions & 0 deletions datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
author: Dean Luxton
id: ec16d55d-c0c6-496c-a27f-620ec19db5e5
date: '2024-08-08'
description: Manually adding a new client side extension to an existing an active directory group policy using the Group Policy Management Console.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log
sourcetypes:
- XmlWinEventLog
- ActiveDirectory
references:
- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
3 changes: 3 additions & 0 deletions datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log
View file
Open in desktop
Git LFS file not shown
3 changes: 3 additions & 0 deletions datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log
View file
Open in desktop
Git LFS file not shown
4 changes: 2 additions & 2 deletions datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log
View file
Open in desktop
Git LFS file not shown
Loading