From 533322e3b5ff37db92cc748d6d52e45d3daa920b Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 22 Jan 2026 23:02:11 +0530 Subject: [PATCH 1/3] updating to new folder --- .../T1071.004/long_dns_query/atomic_red_team.yml | 13 +++++++++++++ .../long_dns_query}/dns-sysmon.log | 0 2 files changed, 13 insertions(+) create mode 100644 datasets/attack_techniques/T1071.004/long_dns_query/atomic_red_team.yml rename datasets/attack_techniques/{T1021.002/atomic_red_team => T1071.004/long_dns_query}/dns-sysmon.log (100%) diff --git a/datasets/attack_techniques/T1071.004/long_dns_query/atomic_red_team.yml b/datasets/attack_techniques/T1071.004/long_dns_query/atomic_red_team.yml new file mode 100644 index 00000000..9f61dbe4 --- /dev/null +++ b/datasets/attack_techniques/T1071.004/long_dns_query/atomic_red_team.yml @@ -0,0 +1,13 @@ +author: Bhavin Patel, Splunk +id: d1c13a02-9fa8-4d72-8e80-a75db51ed88e +date: '2026-01-22' +description: 'Contains DNS query data from the windows machine where powershell is trying to make a query to a long domain name' +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1071.004 +datasets: +- name: dns-sysmon + path: /datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.002/atomic_red_team/dns-sysmon.log b/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log similarity index 100% rename from datasets/attack_techniques/T1021.002/atomic_red_team/dns-sysmon.log rename to datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log From fa7d5305ed44d5b5eabecfa4280da2cc4d71c51f Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 23 Jan 2026 00:05:01 +0530 Subject: [PATCH 2/3] moar data --- .../attack_techniques/T1071.004/long_dns_query/dns-sysmon.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log b/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log index 606779b5..eda09d8b 100644 --- a/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log +++ b/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ce0cb13d031325ebf258d9a81aa4b4ed8efbc234bda2e4d1801f7701b8b6918c -size 6689 +oid sha256:309affce72ee83c4a7d6f5d714f1f5f1ec0eb25f92df49e19bb73a7a6779c6b5 +size 14345 From a757c3320160088e49154a92fead7ad1d8f25731 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 23 Jan 2026 00:06:10 +0530 Subject: [PATCH 3/3] testing by adding more events --- .../attack_techniques/T1071.004/long_dns_query/dns-sysmon.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log b/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log index eda09d8b..3bc71e10 100644 --- a/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log +++ b/datasets/attack_techniques/T1071.004/long_dns_query/dns-sysmon.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:309affce72ee83c4a7d6f5d714f1f5f1ec0eb25f92df49e19bb73a7a6779c6b5 -size 14345 +oid sha256:665351a29bf5545503fb572c808bf9ebf157e74ec6dcc8a098890551db6932ed +size 14344