Merge pull request #993 from splunk/esxi

ljstella · web-flow · commit 3e0010b16018 · 2025-07-10T13:01:43.000-05:00
ESXi sample data
diff --git a/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:880d7e97db26dbccde3101f25416bf70b743238de17fe1c409c951a58baf2229
+size 1271
diff --git a/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: f4e7c8fc-c534-415b-9f99-9e9419096db5
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing attempts to access sensitive files on the ESXi system.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1003/008
diff --git a/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a50666c61f331226509ef462349fc891e46caaad70b1767422aee048f664acef
+size 271
diff --git a/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 6cbe3ac7-510d-49ab-983e-7ee504d6f386
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing downloading of VMs from ESXi using remote tools."
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1005
diff --git a/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f29c867799a0c3156dbc2722410be7e42b989cf3ce6fa13dfeeb26375a3d24e5
+size 1422
diff --git a/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 6bce52c9-2cd1-4916-be2d-7d6214bc5c98
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events ssh being enabled on the ESXi system.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1021/004
diff --git a/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:73511f8303132563a8da03b915ecd939a4ba54a6254537df804fc817a112bae7
+size 487
diff --git a/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 117b7a96-83f5-4de9-9394-be8997bc43f4
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing ESXi shell access being enabled.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1021
diff --git a/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e67decb5f3d4b9e7e295018deeac05cd70f6c4d3e3747cc07375f91dfce559c5
+size 144
diff --git a/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: cf946971-ec10-4792-a697-4b208bc42e7f
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing reverse shell attempts from the ESXi system.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1059
diff --git a/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7cb44861fb8575eb9e3c3176dea650c85f8f670a7156247b7744d65639c5f43c
+size 666
diff --git a/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: f8571084-93e7-46fc-ae37-7a22e81e57f3
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing manipulation of the system clock.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1070
diff --git a/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:529495add2afe5c4a8df1b46988666ca9464cf8f8d23747d43f424a1fe592f23
+size 1636
diff --git a/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: ebd8a8a8-e517-43d1-b744-a8260f18ef6e
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing root logins from an external system.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1078
diff --git a/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2b0f7cdb0270d0c04621928f1fa89263aeb8790e3d465813a62c6354be5bd91a
+size 6591
diff --git a/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: a61432b5-65c6-4509-b44a-3c176fa00d86
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing root logins from multple locations in quick succession.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1078
diff --git a/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7fd9e863079f9937ca4c9fa5208fc69600f3206599388e2d006b3568b982c7bb
+size 4160
diff --git a/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 632f631d-6d62-4bc6-8b6b-c51a9134a016
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing attempts to enumerate system information.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1082
diff --git a/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.log b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d1676c13cb085999a21651b71e4e683c3c705af1378153a91472812e943e5d1c
+size 770
diff --git a/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 7ebe0ae9-792a-4da1-aa7d-b338db54edfc
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing account manipulation of esxi account with malicious intent.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_account_modified/esxi_account_modified.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1098/
diff --git a/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:07eddeb84bba145ac2345c65744f2017dd8b0873312576787ce072dec2ca2aa5
+size 306
diff --git a/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 6957528c-1167-469f-a982-d03dea0ff09e
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing account manipulation of esxi account to give it the admin role.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1098/
diff --git a/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:19f8cb2e6f07b840f59333038e4c9ebf358104e8088be0c85497c711dab78e22
+size 5255
diff --git a/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 5c239f0f-ec10-4107-b6a0-c9228257e4b1
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing an ssh brute force attempt against an ESXi server.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1110
diff --git a/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:137f78ea3cb76f7b5a2545b7f9b7b3d46e305f931fa4f2042af1539fd0091eff
+size 4484
diff --git a/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 61568617-ad53-4998-b9aa-88d4114f5330
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing attempted forced installation of malicious VIBs'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1505/006
diff --git a/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:258f5f3a6a43b615b162fac10b865bfdf75ab450c4735437b4d81d5ab8f17534
+size 1073
diff --git a/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 2bbe8c66-7262-4e13-b9a0-9d521e5d6305
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing commands used for bulk termination of VMs.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1529
diff --git a/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b2878648d405d9320c50e4807c0de17de4a32e7a982f56280d0e165b4a3c95fd
+size 1258
diff --git a/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 1ca23917-04c2-41db-b31b-702bcd728737
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing tampering of audit settings.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562/003
diff --git a/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:24a0ba17de262a72d7ba21c8439b13e8e555deedc6fd7f284c761022d41e8383
+size 606
diff --git a/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 125f03ca-3a22-4bf7-bb02-4abd338b326e
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing attempts to modify the loghost configuration.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562/003
diff --git a/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:699f09e84adb22f488ace9675c06d1ff65e81623425c7d817aeb57e9223e9647
+size 172
diff --git a/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: c012bd08-cbdb-49b6-9a0d-acd51b1f1cca
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing attempts to modify the syslog configuration.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562/003
diff --git a/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dff7f7bf4bf7cc798184c3e2aab328a4291fc0c1dbc423185a49f40684d3e1a8
+size 286
diff --git a/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 39edc074-9898-4de9-8296-45c51b7e18dd
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing attempts to disable the firewall.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562/004
diff --git a/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0e2ff09e1ad025b09d3b1f1f69f27b0c3f7f8c5d9cb803f0509de7d1c932b943
+size 1878
diff --git a/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 05d39cf3-abd8-46e3-b775-88935c28fffc
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing ESXi encryption settings being modified to impair defenses.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562
diff --git a/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:12ece619eeada18020899ecefca2ba28eea5a5c5fe32b3640f5c368ab8d80058
+size 945
diff --git a/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 98448462-9f32-47ef-ac24-844bb1c0f1c0
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing ESXi lockdown settings being modified to impair defenses.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562
diff --git a/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:46512a7a1a48a1efb3f2237de5911be86b61909cb9749efcbc264af28b967f5d
+size 951
diff --git a/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 2440ce36-e445-4b34-8591-12afd1f8c884
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing modification to ESXi VIB acceptance levels."
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562
diff --git a/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d5e13c41d408677bde3f4b838e255806dd2380393ae7276b27ddee301619a657
+size 2396
diff --git a/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: a398a202-5b62-4043-9286-647fde220dca
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing dormant VMs being activated.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1584
diff --git a/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:26ac5d8afa9fe98c0a7b125d923252ed90fc7e3bd77f000caf13807e5c7736c1
+size 5333
diff --git a/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 39edc074-9898-4de9-8296-45c51b7e18dd
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing failed attempts to install malicious VIBs.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1601/001
diff --git a/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eedcd884130ddbdafcf0df25c8d7366b782ec79aa3636f463f2c0ca9b0d320f9
+size 1743
diff --git a/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: d3f26d3a-3ae5-4e3d-a9b3-567622b6fb1d
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events VM discovery commands."
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1673

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:880d7e97db26dbccde3101f25416bf70b743238de17fe1c409c951a58baf2229`
	`3`	`+size 1271`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:a50666c61f331226509ef462349fc891e46caaad70b1767422aee048f664acef`
	`3`	`+size 271`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:f29c867799a0c3156dbc2722410be7e42b989cf3ce6fa13dfeeb26375a3d24e5`
	`3`	`+size 1422`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:73511f8303132563a8da03b915ecd939a4ba54a6254537df804fc817a112bae7`
	`3`	`+size 487`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:e67decb5f3d4b9e7e295018deeac05cd70f6c4d3e3747cc07375f91dfce559c5`
	`3`	`+size 144`