From 0d1da8e4ae11e9d3c15bcc5b7f7b8a5f35e962d9 Mon Sep 17 00:00:00 2001
From: nasbench <nasreddineb@splunk.com>
Date: Thu, 23 Oct 2025 19:20:25 +0200
Subject: [PATCH] add oracle and pwsh b64

---
 .../manual_b64_decode_pwsh.log                      |  3 +++
 .../manual_b64_decode_pwsh.yml                      | 13 +++++++++++++
 .../oracle_e_business_suite.log                     |  3 +++
 .../oracle_e_business_suite.yml                     | 13 +++++++++++++
 4 files changed, 32 insertions(+)
 create mode 100644 datasets/attack_techniques/T1027.010/manual_b64_decode_pwsh/manual_b64_decode_pwsh.log
 create mode 100644 datasets/attack_techniques/T1027.010/manual_b64_decode_pwsh/manual_b64_decode_pwsh.yml
 create mode 100644 datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.log
 create mode 100644 datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.yml

diff --git a/datasets/attack_techniques/T1027.010/manual_b64_decode_pwsh/manual_b64_decode_pwsh.log b/datasets/attack_techniques/T1027.010/manual_b64_decode_pwsh/manual_b64_decode_pwsh.log
new file mode 100644
index 00000000..ca7eb403
--- /dev/null
+++ b/datasets/attack_techniques/T1027.010/manual_b64_decode_pwsh/manual_b64_decode_pwsh.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:578c02d29fd3b8eec51f9603dd5267636bad190d2c091aaf7f34b8c4e32f5e4c
+size 28882
diff --git a/datasets/attack_techniques/T1027.010/manual_b64_decode_pwsh/manual_b64_decode_pwsh.yml b/datasets/attack_techniques/T1027.010/manual_b64_decode_pwsh/manual_b64_decode_pwsh.yml
new file mode 100644
index 00000000..de1d60fc
--- /dev/null
+++ b/datasets/attack_techniques/T1027.010/manual_b64_decode_pwsh/manual_b64_decode_pwsh.yml
@@ -0,0 +1,13 @@
+author: Nasreddine Bencherchali, Splunk
+id: 2d2d0452-1d37-4f73-8e58-c2f0c57de465
+date: '2025-10-23'
+description: Generated datasets covering the manual Base64 decoding using PowerShell.
+environment: attack_range
+directory: manual_b64_decode_pwsh
+mitre_technique:
+- T1027.010
+datasets:
+- name: nirsoft_file_bundle_created.log
+  path: /datasets/attack_techniques/T1027.010/manual_b64_decode_pwsh/manual_b64_decode_pwsh.log
+  sourcetype: XmlWinEventLog
+  source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
diff --git a/datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.log b/datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.log
new file mode 100644
index 00000000..f7286d85
--- /dev/null
+++ b/datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a9613ad58cdd000f352ea5caa7277095a8c12f6563e287e231105c65c16178f6
+size 18032
diff --git a/datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.yml b/datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.yml
new file mode 100644
index 00000000..db491854
--- /dev/null
+++ b/datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.yml
@@ -0,0 +1,13 @@
+author: Nasreddine Bencherchali, Splunk
+id: 57776d92-b6db-4bf1-9dd2-e81702059f8e
+date: '2025-10-23'
+description: Generated a fake dataset manually for snort triggers generated by an FTD covering the potential exploitation of Oracle E-Business Suite CVE-2025-61882 and CVE-2025-61884.
+environment: custom
+directory: oracle_e_business_suite
+mitre_technique:
+- T1190
+datasets:
+- name: nirsoft_file_bundle_created.log
+  path: /datasets/attack_techniques/T1027.010/oracle_e_business_suite/oracle_e_business_suite.log
+  sourcetype: cisco:sfw:estreamer
+  source: not_applicable