Merge pull request #1128 from splunk/lotus

MHaggis · web-flow · commit 0050552cc95e · 2026-02-05T08:06:36.000-07:00
Lotus Blossom
diff --git a/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/dataset.yml b/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/dataset.yml
@@ -0,0 +1,13 @@
+author: Michael Haag, Splunk
+id: 5010d236-00a5-434f-bfeb-20af07d478aa
+date: '2026-02-02'
+description: Lotus Blossom TinyCC shellcode execution simulation. Svchost.exe executed with TinyCC compiler flags (-nostdlib -run) to simulate Chrysalis backdoor's shellcode compilation technique.
+environment: attack_range
+directory: lotus_blossom_chrysalis
+mitre_technique:
+- T1059.005
+datasets:
+- name: windows-sysmon.log
+  path: /datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log b/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cb5ea7112ec60ef8c6c4abfe3f2d5eccb0d7e8435e0da8ffdc7ff276878e7caf
+size 4713
diff --git a/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/dataset.yml b/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/dataset.yml
@@ -0,0 +1,13 @@
+author: Michael Haag, Splunk
+id: bfab9adc-3767-487a-87cd-35f1a7cd8706
+date: '2026-02-02'
+description: Lotus Blossom BluetoothService persistence test execution. Service created in user AppData directory for persistence.
+environment: attack_range
+directory: lotus_blossom_chrysalis
+mitre_technique:
+- T1543.003
+datasets:
+- name: windows-system.log
+  path: /datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log
+  sourcetype: XmlWinEventLog:System
+  source: XmlWinEventLog:System
diff --git a/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log b/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a93c337278af4bd34e2cb4ebebf32144a6827d40f760d0ecb6dbd80be2370f8e
+size 2326
diff --git a/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/dataset.yml b/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/dataset.yml
@@ -0,0 +1,13 @@
+author: Michael Haag, Splunk
+id: 66eb3815-e429-4bc2-a8f1-e3ea8bc7e8c2
+date: '2026-02-02'
+description: Lotus Blossom Bitdefender DLL side-loading test execution. Rundll32.exe loading malicious log.dll from user directory mimicking Bitdefender Submission Wizard abuse.
+environment: attack_range
+directory: lotus_blossom_chrysalis
+mitre_technique:
+- T1574.002
+datasets:
+- name: windows-sysmon.log
+  path: /datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log b/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:66dad57f32a2178a924c5742ac7b68fa74d745d9efb8ac7796067e3464b9307c
+size 9226

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:cb5ea7112ec60ef8c6c4abfe3f2d5eccb0d7e8435e0da8ffdc7ff276878e7caf`
	`3`	`+size 4713`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:a93c337278af4bd34e2cb4ebebf32144a6827d40f760d0ecb6dbd80be2370f8e`
	`3`	`+size 2326`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:66dad57f32a2178a924c5742ac7b68fa74d745d9efb8ac7796067e3464b9307c`
	`3`	`+size 9226`