From a4313e7c09479842e6db6b45c7159e07efafdb00 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 24 Oct 2025 11:36:20 +0200 Subject: [PATCH 1/2] Add YAML metadata for T1003 --- .../attack_techniques/T1003/test4/test4.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 attack_data/datasets/attack_techniques/T1003/test4/test4.yml diff --git a/attack_data/datasets/attack_techniques/T1003/test4/test4.yml b/attack_data/datasets/attack_techniques/T1003/test4/test4.yml new file mode 100644 index 00000000..8972658e --- /dev/null +++ b/attack_data/datasets/attack_techniques/T1003/test4/test4.yml @@ -0,0 +1,13 @@ +author: Patrick Bareiss +id: be4c81af-027e-4bc9-809e-f79e0fcebfee +date: '2025-10-24' +description: Attack data for technique T1003 +environment: attack_range +directory: test4 +mitre_technique: +- T1003 +datasets: +- name: sysmon + path: attack_data/datasets/attack_techniques/T1003/test4/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational From e4dd4ad03f41b18012115265e182a7dc05ad1e7d Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 24 Oct 2025 11:36:21 +0200 Subject: [PATCH 2/2] Add attack data for T1003 --- .../datasets/attack_techniques/T1003/test4/sysmon.log | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 attack_data/datasets/attack_techniques/T1003/test4/sysmon.log diff --git a/attack_data/datasets/attack_techniques/T1003/test4/sysmon.log b/attack_data/datasets/attack_techniques/T1003/test4/sysmon.log new file mode 100644 index 00000000..62484664 --- /dev/null +++ b/attack_data/datasets/attack_techniques/T1003/test4/sysmon.log @@ -0,0 +1,5 @@ +4688201331200x8020000000000000244567Securityar-win-1NT AUTHORITY\SYSTEMAR-WIN-1$WORKGROUP0x3e70x1370C:\Windows\System32\wbem\WmiPrvSE.exe%%19360x310NULL SIDAR-WIN-1$WORKGROUP0x3e4C:\Windows\System32\svchost.exeMandatory Label\System Mandatory Level +4688201331200x8020000000000000244566Securityar-win-1NT AUTHORITY\SYSTEMAR-WIN-1$WORKGROUP0x3e70x868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x994NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level +4688201331200x8020000000000000244565Securityar-win-1NT AUTHORITY\SYSTEMAR-WIN-1$WORKGROUP0x3e70x11bcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x994NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level +154100x800000000000000081660Microsoft-Windows-Sysmon/Operationalar-win-1-2025-10-24 09:35:49.965{2d9b1c52-4875-68fb-5716-010000006903}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.3.0Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2d9b1c52-0eab-68f1-e703-000000000000}0x3e70SystemMD5=E30CB50BE9EC2FB49497F136DC71448F,SHA256=7835B39374396001E12637509AE0D22FCB7E2A89F6143DED03186B500276E537,IMPHASH=D30C8E545B1C24DE4E0DC100EF70F2D0{2d9b1c52-0eb0-68f1-3b00-000000006903}2452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM +154100x800000000000000081659Microsoft-Windows-Sysmon/Operationalar-win-1-2025-10-24 09:35:49.199{2d9b1c52-4875-68fb-5616-010000006903}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.3.0Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2d9b1c52-0eab-68f1-e703-000000000000}0x3e70SystemMD5=F1B469DA7803AFE04870B4871CC0F695,SHA256=8198111A755A6918B5559B548574061A41EF5AACAE706DD154936CFEC6E6432E,IMPHASH=AEB21630574EF01A3A5116CB58C5AC56{2d9b1c52-0eb0-68f1-3b00-000000006903}2452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM