From a599560f18104a8edf34aba6bc03daea245f305d Mon Sep 17 00:00:00 2001 From: Raven Tait Date: Tue, 28 Oct 2025 15:50:46 -0400 Subject: [PATCH] More WSUS data --- datasets/attack_techniques/T1505.003/T1505.003.yml | 14 +++++++++++++- datasets/attack_techniques/T1505.003/suricata.log | 3 +++ datasets/attack_techniques/T1505.003/wsus-iis.log | 3 +++ .../T1505.003/wsus-sa-windows-sysmon.log | 3 +++ 4 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 datasets/attack_techniques/T1505.003/suricata.log create mode 100644 datasets/attack_techniques/T1505.003/wsus-iis.log create mode 100644 datasets/attack_techniques/T1505.003/wsus-sa-windows-sysmon.log diff --git a/datasets/attack_techniques/T1505.003/T1505.003.yml b/datasets/attack_techniques/T1505.003/T1505.003.yml index baa75c20..b7f964ec 100644 --- a/datasets/attack_techniques/T1505.003/T1505.003.yml +++ b/datasets/attack_techniques/T1505.003/T1505.003.yml @@ -1,6 +1,6 @@ author: Michael Haag id: cc9b2609-efc9-11eb-926b-550bf0943fbb -date: '2025-10-24' +date: '2025-10-28' description: The following data was produced to emulate IIS, w3wp.exe, spawning shells, simulating web shell activity. In addition, behavior related to Microsoft Exchange Server's Unified Messaging services, umworkerprocess.exe and umservice.exe, spawning @@ -32,3 +32,15 @@ datasets: path: /datasets/attack_techniques/T1505.003/wsus-windows-sysmon.log sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: wsus-sa-windows-sysmon + path: /datasets/attack_techniques/T1505.003/wsus-sa-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: wsus-iis + path: /datasets/attack_techniques/T1505.003/wsus-iis.log + sourcetype: iis + source: iis +- name: wsus-suricata + path: /datasets/attack_techniques/T1505.003/wsus-suricata.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1505.003/suricata.log b/datasets/attack_techniques/T1505.003/suricata.log new file mode 100644 index 00000000..daa5ab19 --- /dev/null +++ b/datasets/attack_techniques/T1505.003/suricata.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e5a3b0efb827df055104d0ddfa7660b8699a9713db37f27338a474838b19ed27 +size 18198 diff --git a/datasets/attack_techniques/T1505.003/wsus-iis.log b/datasets/attack_techniques/T1505.003/wsus-iis.log new file mode 100644 index 00000000..05c347c7 --- /dev/null +++ b/datasets/attack_techniques/T1505.003/wsus-iis.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd395beee7b6a091bf557930ee9b69103601ba0b7a04c6a27f82131402d88712 +size 20559 diff --git a/datasets/attack_techniques/T1505.003/wsus-sa-windows-sysmon.log b/datasets/attack_techniques/T1505.003/wsus-sa-windows-sysmon.log new file mode 100644 index 00000000..46d4eb53 --- /dev/null +++ b/datasets/attack_techniques/T1505.003/wsus-sa-windows-sysmon.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3fb605825f6598cbcde1f339cc2f9eebafee494525d133377733f16791d04aa0 +size 5499