Merge branch 'splunk:master' into master

datasets/attack_techniques/T1003.004/NoLMHash/NoLMHash.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: e68c62ae-dc5b-4852-bfb1-860b104358b7
+date: '2023-12-15'
+description: Generated datasets for NoLMHash in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

datasets/attack_techniques/T1033/whoami_priv/whoami_priv.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: ea89e255-f54a-4627-a8de-10dcbd662993
+date: '2023-12-15'
+description: Generated datasets for whoami priv in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml

@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: d8aaa455-a7ba-4bd8-a588-e09ef1dce552
+date: '2023-12-07'
+description: Kubernetes scanning activity in Kubernetes audit logs.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1046

datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.yml

@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 18171239-e152-41f4-a1af-459d1b2aacb3
+date: '2023-12-14'
+description: Kubernetes audit logs which contains a creation of a cron job.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1053/007

datasets/attack_techniques/T1057/process_commandline_discovery/process_commandline_discovery.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 1c2643c1-0837-4026-a0f1-62ede1415bab
+date: '2023-12-15'
+description: Generated datasets for process commandline discovery in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/powerview_get_netuser_preauthnotrequire.yml

@@ -0,0 +1,12 @@
+author: Teoderick Contreras, Splunk
+id: d6b8075a-9611-4d37-93b7-19dab2fe9105
+date: '2023-12-15'
+description: Generated datasets for powerview get netuser preauthnotrequire in attack
+  range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

datasets/attack_techniques/T1112/no_changing_wallpaper/no_changing_wallpaper.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: da855696-2c81-49ac-8cc6-c801c4683907
+date: '2023-12-12'
+description: Generated datasets for no changing wallpaper in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/no_changing_wallpaper/NoChangingWallPaper.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

datasets/attack_techniques/T1136.001/net_create_user/net_create_user.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 0cc84545-a4f1-4bbf-b63e-9ba468d13c3d
+date: '2023-12-13'
+description: Generated datasets for net create user in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/net_create_user/net_user_security.log
+sourcetypes:
+- XmlWinEventLog:Security
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/d7c45a052dae283c2fed4da32303cc4265438a50/atomics/T1136.001/T1136.001.md

datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.yml

@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: fb94f5df-1482-49c0-a61f-1d01ed18e4f6
+date: '2023-12-13'
+description: Kubernetes audit logs which contains a creation of a nodeport service.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1204

datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.yml

@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: da189cbc-c959-4681-a173-e409949470d4
+date: '2023-12-14'
+description: Kubernetes audit logs which contains a creation of a DaemonSet.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1204

datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.yml

@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 6604d77c-fdb5-4b1c-9c1f-55ed41fcca8d
+date: '2023-12-13'
+description: Kubernetes falco logs containing a spawned shell.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log
+sourcetypes:
+- kube:container:falco
+references:
+- https://attack.mitre.org/techniques/T1204

datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml

@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 462dfa0b-7aa4-4498-927b-8d9743141e3a
+date: '2023-12-14'
+description: Kubernetes audit logs which contains a creation of a privilged pod.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1204

datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.yml

@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 4db6594e-9e8c-4223-8681-262d06b4b4d3
+date: '2023-12-07'
+description: Kubernetes audit logs which contains a forbidden access to a namespace.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1204

datasets/attack_techniques/T1218.011/update_per_user_system/update_per_user_system.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: f256a0ea-e4ba-472a-9b76-c39d78b08d8e
+date: '2023-12-12'
+description: Generated datasets for update per user system in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/update_per_user_system/rundll32_updateperusersystem.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml

@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 38e470fb-3c73-42c5-a5e6-47838df5e62e
+date: '2023-12-07'
+description: Kubernetes audit logs which contains pulling a image.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1526

datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.yml

@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: eeb520c4-bdea-4b79-a13e-6d7036e6ddc2
+date: '2023-12-06'
+description: Kubernetes audit log to retrieve a secret from k8s.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1552/007/

datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 5fd828a1-728d-4f17-adba-3e5e43ab290d
+date: '2023-12-12'
+description: Generated datasets for njrat add firewall rule in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://www.splunk.com/en_us/blog/security/more-than-just-a-rat-unveiling-njrat-s-mbr-wiping-capabilities.html

datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml

@@ -0,0 +1,16 @@
+author: Steven Dick
+id: e18714c0-ab84-44f6-9117-5531e3eb3a0c
+date: '2023-10-30'
+description: 'Detection of common behaviors used to abouse NTFS alternate datastreams.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+- WinEventLog:Security
+references:
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+- https://car.mitre.org/analytics/CAR-2020-08-001/
+- https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams 
+- https://blog.netwrix.com/2022/12/16/alternate_data_stream/
+- https://twitter.com/0xrawsec/status/1002478725605273600?s=21