Merge branch 'master' of https://github.com/splunk/attack_data

MHaggis · MHaggis · commit c75470a36d3b · 2025-08-07T10:05:56.000-06:00
diff --git a/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml b/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml
@@ -0,0 +1,12 @@
+author: Raven Tait, Splunk
+id: 2481e83c-b888-4383-bc61-9d292f4e03ea
+date: '2025-08-05'
+description: Logs from usage of the Medusa rootkit on a Linux host.
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+- Syslog:Linux-Sysmon/Operational
+references:
+- https://attack.mitre.org/techniques/T1014/
diff --git a/datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log b/datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:092f23c31aaa9c2f26d38c083255ade96bd953e0b5110443e9c1d39ae487bf63
+size 6275
diff --git a/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.log b/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:02509f46c0827bf20cab033da354191ec78f76f78cee88ab469b800efa816089
+size 1092
diff --git a/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml b/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 2050c38a-6d1e-11f0-86b8-629be3538068
+date: '2025-07-30'
+description: Generated datasets for bmc creation in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
diff --git a/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admin.log b/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admin.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2b4e043ffb2a24d2da86e1ef9b396fc53cc8169d4974434057d4d1a802eb7540
+size 19709
diff --git a/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml b/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: bf432e34-6d3b-11f0-86b8-629be3538068
+date: '2025-07-30'
+description: Generated datasets for mstsc admini in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admin.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
diff --git a/datasets/attack_techniques/T1021.001/rdp_creation/deafault_rdp_created.log b/datasets/attack_techniques/T1021.001/rdp_creation/deafault_rdp_created.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:48db5e0511cab2055386df33d44309cc03fc81f61292ce939d2ceef18d8443a5
+size 1048
diff --git a/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml b/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 30e07cc0-6d25-11f0-86b8-629be3538068
+date: '2025-07-30'
+description: Generated datasets for rdp creation in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/rdp_creation/deafault_rdp_created.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
diff --git a/datasets/attack_techniques/T1021.001/rdp_session_established/4624_10_logon.log b/datasets/attack_techniques/T1021.001/rdp_session_established/4624_10_logon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:03a9cef0403dda73c10b0b27f051e39d9dd7b3ab05514c59b1ef11fef60c56df
+size 29431
diff --git a/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml b/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: d96eb482-6dee-11f0-b544-629be3538069
+date: '2025-07-31'
+description: Generated datasets for rdp session established in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/rdp_session_established/4624_10_logon.log
+sourcetypes:
+- 'XmlWinEventLog:Security'
+references:
+- https://thelocalh0st.github.io/posts/rdp/
diff --git a/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml b/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 27f7e43a-6d3a-11f0-86b8-629be3538068
+date: '2025-07-30'
+description: Generated datasets for terminal server reg created in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_sever_client_Reg_created.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
diff --git a/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_sever_client_Reg_created.log b/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_sever_client_Reg_created.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5342e02893436798ee664d51b0c19098a395b99039e208d4e5e7f6f530cf6c82
+size 8021
diff --git a/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.log b/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e01d3f22c954a724a0ce81fc3537dedc15a33699315190fecca6303390d0dc44
+size 24073
diff --git a/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml b/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: a2d674e4-6d3c-11f0-86b8-629be3538068
+date: '2025-07-30'
+description: Generated datasets for unhide file in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
diff --git a/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.log b/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cdb0794700ffe957bbf8914768c60f43eaf3261c7c2f8c1c06d7c01e60f6be25
+size 2385
diff --git a/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml b/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 45640c5f-9ef7-4d93-aa3e-2bc188d0be0a
+date: '2025-07-30'
+description: 'Sample of Sysmon events showing execution of commands on a host via VMWare Tools.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://attack.mitre.org/techniques/T1059
diff --git a/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.log b/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f9c8d1b18a31990e5a0b741f8624e92b90b7733db2be3e3c84fb3a27fbc87e37
+size 2634
diff --git a/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml b/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: c6e9706c-6d27-11f0-86b8-629be3538068
+date: '2025-07-30'
+description: Generated datasets for automatic file deleted in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
diff --git a/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.log b/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:87240fa72a24d0bc31599feee506289d25eade037e565ad7ab58cd38a5bf0f99
+size 1278
diff --git a/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml b/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: e9002aca-6d26-11f0-86b8-629be3538068
+date: '2025-07-30'
+description: Generated datasets for bmc file deleted in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
diff --git a/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml b/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 55943188-6d25-11f0-86b8-629be3538068
+date: '2025-07-30'
+description: Generated datasets for rdp deletion in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_file_deleted.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
diff --git a/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_file_deleted.log b/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_file_deleted.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:25af6d9241545d5923e6153b0b12bb52ca0b590abdfa3623ca3e9036572ad4d9
+size 2470
diff --git a/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_client_reg_deleted.log b/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_client_reg_deleted.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:493010eceea55098ea984de69250fc32e36d4fcbf11a04fd218c7e2134a77e7c
+size 3254
diff --git a/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml b/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 8c2fbcce-6d3b-11f0-86b8-629be3538068
+date: '2025-07-30'
+description: Generated datasets for terminal server reg deleted in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_client_reg_deleted.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
diff --git a/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.log b/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7b59305a325b7cc064ae1f5a4be1944d3db6070cb3775ec6583c36f8e676aaa5
+size 4542
diff --git a/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml b/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: eff617c0-72aa-11f0-9625-629be3538068
+date: '2025-08-06'
+description: Generated datasets for reg profiles private in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
diff --git a/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml b/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 76f9a94c-6c63-11f0-89ae-629be3538068
+date: '2025-07-29'
+description: Generated datasets for rundll32 dll in temp in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_tmp.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/
diff --git a/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_tmp.log b/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_tmp.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5ac4747551f733d673cd6828a55732b7b542d3552698325cbdac2df2a69aa62f
+size 4057
diff --git a/datasets/attack_techniques/T1567/gdrive/gdrive.yml b/datasets/attack_techniques/T1567/gdrive/gdrive.yml
@@ -0,0 +1,13 @@
+author: Raven Tait, Splunk
+id: 9c1ebd7e-b293-4238-98ff-4ecef8444cdb
+date: '2025-08-01'
+description: Simulate usage of the gdrive binary to interact with Google Drive.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/gdrive/gdrive_windows.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/gdrive/gdrive_linux.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+- Syslog:Linux-Sysmon/Operational
+references:
+- https://attack.mitre.org/techniques/T1567/
diff --git a/datasets/attack_techniques/T1567/gdrive/gdrive_linux.log b/datasets/attack_techniques/T1567/gdrive/gdrive_linux.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f06508f6810bcfc183393448f973db7185e0059fc1b716e45fe42cd620b9d701
+size 5545
diff --git a/datasets/attack_techniques/T1567/gdrive/gdrive_windows.log b/datasets/attack_techniques/T1567/gdrive/gdrive_windows.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:786779dfc83f8224d97287cb497e6d44468212203b717ab41ba193aa6de5d4c3
+size 6602
diff --git a/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml b/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: e90865ba-72ac-11f0-9625-629be3538068
+date: '2025-08-06'
+description: Generated datasets for firewall api path in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
diff --git a/datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log b/datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2973ed09af8ca140f4c0da90d12a1399a2765428f6b4388df1f8876f45978d78
+size 1555
diff --git a/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml b/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 28f730ce-72ae-11f0-9625-629be3538068
+date: '2025-08-06'
+description: Generated datasets for add store cert in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log
+sourcetypes:
+- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
+references:
+- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
diff --git a/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log b/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c31b0e86dd5ed796d2f2bcab64c479fe15a895bd0597961dc3746ad8603e4065
+size 4040

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:092f23c31aaa9c2f26d38c083255ade96bd953e0b5110443e9c1d39ae487bf63`
	`3`	`+size 6275`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:02509f46c0827bf20cab033da354191ec78f76f78cee88ab469b800efa816089`
	`3`	`+size 1092`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:2b4e043ffb2a24d2da86e1ef9b396fc53cc8169d4974434057d4d1a802eb7540`
	`3`	`+size 19709`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:48db5e0511cab2055386df33d44309cc03fc81f61292ce939d2ceef18d8443a5`
	`3`	`+size 1048`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:03a9cef0403dda73c10b0b27f051e39d9dd7b3ab05514c59b1ef11fef60c56df`
	`3`	`+size 29431`