From dd178414aeb54a5a2eceb998c40e37afa09c27c4 Mon Sep 17 00:00:00 2001 From: Raven Tait Date: Thu, 10 Jul 2025 12:49:07 -0400 Subject: [PATCH] ESXi sample data random assortment of ESXi sample data --- .../esxi_sensitive_files/esxi_sensitive_files.log | 3 +++ .../esxi_sensitive_files/esxi_sensitive_files.yml | 11 +++++++++++ .../T1005/esxi_vm_download/esxi_vm_download.log | 3 +++ .../T1005/esxi_vm_download/esxi_vm_download.yml | 11 +++++++++++ .../T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log | 3 +++ .../T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml | 11 +++++++++++ .../T1021/esxi_shell_enabled/esxi_shell_enabled.log | 3 +++ .../T1021/esxi_shell_enabled/esxi_shell_enabled.yml | 11 +++++++++++ .../T1059/esxi_reverse_shell/esxi_reverse_shell.log | 3 +++ .../T1059/esxi_reverse_shell/esxi_reverse_shell.yml | 11 +++++++++++ .../esxi_system_clock_manipulation.log | 3 +++ .../esxi_system_clock_manipulation.yml | 11 +++++++++++ .../esxi_external_root_login.log | 3 +++ .../esxi_external_root_login.yml | 11 +++++++++++ .../esxi_stolen_root_account.log | 3 +++ .../esxi_stolen_root_account.yml | 11 +++++++++++ .../esxi_system_information.log | 3 +++ .../esxi_system_information.yml | 11 +++++++++++ .../esxi_account_modified.log | 3 +++ .../esxi_account_modified.yml | 11 +++++++++++ .../T1098/esxi_admin_role/esxi_admin_role.log | 3 +++ .../T1098/esxi_admin_role/esxi_admin_role.yml | 11 +++++++++++ .../esxi_ssh_brute_force/esxi_ssh_brute_force.log | 3 +++ .../esxi_ssh_brute_force/esxi_ssh_brute_force.yml | 11 +++++++++++ .../esxi_malicious_vib_forced_install.log | 3 +++ .../esxi_malicious_vib_forced_install.yml | 11 +++++++++++ .../esxi_bulk_vm_termination.log | 3 +++ .../esxi_bulk_vm_termination.yml | 11 +++++++++++ .../esxi_audit_tampering/esxi_audit_tampering.log | 3 +++ .../esxi_audit_tampering/esxi_audit_tampering.yml | 11 +++++++++++ .../esxi_loghost_config_tampering.log | 3 +++ .../esxi_loghost_config_tampering.yml | 11 +++++++++++ .../esxi_syslog_config/esxi_syslog_config.log | 3 +++ .../esxi_syslog_config/esxi_syslog_config.yml | 11 +++++++++++ .../esxi_firewall_disabled/esxi_firewall_disabled.log | 3 +++ .../esxi_firewall_disabled/esxi_firewall_disabled.yml | 11 +++++++++++ .../esxi_encryption_modified.log | 3 +++ .../esxi_encryption_modified.yml | 11 +++++++++++ .../esxi_lockdown_disabled/esxi_lockdown_disabled.log | 3 +++ .../esxi_lockdown_disabled/esxi_lockdown_disabled.yml | 11 +++++++++++ .../esxi_vib_acceptance_level_tampering.log | 3 +++ .../esxi_vib_acceptance_level_tampering.yml | 11 +++++++++++ .../esxi_dormant_vm_started.log | 3 +++ .../esxi_dormant_vm_started.yml | 11 +++++++++++ .../esxi_download_errors/esxi_download_errors.log | 3 +++ .../esxi_download_errors/esxi_download_errors.yml | 11 +++++++++++ .../T1673/esxi_vm_discovery/esxi_vm_discovery.log | 3 +++ .../T1673/esxi_vm_discovery/esxi_vm_discovery.yml | 11 +++++++++++ 48 files changed, 336 insertions(+) create mode 100644 datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log create mode 100644 datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml create mode 100644 datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log create mode 100644 datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml create mode 100644 datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log create mode 100644 datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml create mode 100644 datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log create mode 100644 datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml create mode 100644 datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log create mode 100644 datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml create mode 100644 datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log create mode 100644 datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml create mode 100644 datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log create mode 100644 datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml create mode 100644 datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log create mode 100644 datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml create mode 100644 datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log create mode 100644 datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml create mode 100644 datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.log create mode 100644 datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml create mode 100644 datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log create mode 100644 datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml create mode 100644 datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log create mode 100644 datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml create mode 100644 datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log create mode 100644 datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml create mode 100644 datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log create mode 100644 datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml create mode 100644 datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log create mode 100644 datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml create mode 100644 datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log create mode 100644 datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml create mode 100644 datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log create mode 100644 datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml create mode 100644 datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log create mode 100644 datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml create mode 100644 datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log create mode 100644 datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml create mode 100644 datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log create mode 100644 datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml create mode 100644 datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log create mode 100644 datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml create mode 100644 datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log create mode 100644 datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml create mode 100644 datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log create mode 100644 datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml create mode 100644 datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log create mode 100644 datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml diff --git a/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log new file mode 100644 index 000000000..b8dc41dd6 --- /dev/null +++ b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:880d7e97db26dbccde3101f25416bf70b743238de17fe1c409c951a58baf2229 +size 1271 diff --git a/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml new file mode 100644 index 000000000..0d969405e --- /dev/null +++ b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: f4e7c8fc-c534-415b-9f99-9e9419096db5 +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing attempts to access sensitive files on the ESXi system.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1003/008 diff --git a/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log new file mode 100644 index 000000000..cb21388b1 --- /dev/null +++ b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a50666c61f331226509ef462349fc891e46caaad70b1767422aee048f664acef +size 271 diff --git a/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml new file mode 100644 index 000000000..7024e2b33 --- /dev/null +++ b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 6cbe3ac7-510d-49ab-983e-7ee504d6f386 +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing downloading of VMs from ESXi using remote tools." +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1005 diff --git a/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log new file mode 100644 index 000000000..81cccf774 --- /dev/null +++ b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f29c867799a0c3156dbc2722410be7e42b989cf3ce6fa13dfeeb26375a3d24e5 +size 1422 diff --git a/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml new file mode 100644 index 000000000..4e7ed3744 --- /dev/null +++ b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 6bce52c9-2cd1-4916-be2d-7d6214bc5c98 +date: '2025-07-09' +description: 'Sample of ESXi syslog events ssh being enabled on the ESXi system.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1021/004 diff --git a/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log new file mode 100644 index 000000000..b926b9e0c --- /dev/null +++ b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73511f8303132563a8da03b915ecd939a4ba54a6254537df804fc817a112bae7 +size 487 diff --git a/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml new file mode 100644 index 000000000..b3e936a27 --- /dev/null +++ b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 117b7a96-83f5-4de9-9394-be8997bc43f4 +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing ESXi shell access being enabled.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1021 diff --git a/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log new file mode 100644 index 000000000..5c5b0ea5b --- /dev/null +++ b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e67decb5f3d4b9e7e295018deeac05cd70f6c4d3e3747cc07375f91dfce559c5 +size 144 diff --git a/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml new file mode 100644 index 000000000..d5cfc80ec --- /dev/null +++ b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: cf946971-ec10-4792-a697-4b208bc42e7f +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing reverse shell attempts from the ESXi system.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1059 diff --git a/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log new file mode 100644 index 000000000..121f895ee --- /dev/null +++ b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7cb44861fb8575eb9e3c3176dea650c85f8f670a7156247b7744d65639c5f43c +size 666 diff --git a/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml new file mode 100644 index 000000000..b5c1411f2 --- /dev/null +++ b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: f8571084-93e7-46fc-ae37-7a22e81e57f3 +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing manipulation of the system clock.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1070 diff --git a/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log new file mode 100644 index 000000000..e47e60966 --- /dev/null +++ b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:529495add2afe5c4a8df1b46988666ca9464cf8f8d23747d43f424a1fe592f23 +size 1636 diff --git a/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml new file mode 100644 index 000000000..f29be6cbd --- /dev/null +++ b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: ebd8a8a8-e517-43d1-b744-a8260f18ef6e +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing root logins from an external system.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1078 diff --git a/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log new file mode 100644 index 000000000..693d9c98d --- /dev/null +++ b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2b0f7cdb0270d0c04621928f1fa89263aeb8790e3d465813a62c6354be5bd91a +size 6591 diff --git a/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml new file mode 100644 index 000000000..966851506 --- /dev/null +++ b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: a61432b5-65c6-4509-b44a-3c176fa00d86 +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing root logins from multple locations in quick succession.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1078 diff --git a/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log new file mode 100644 index 000000000..b840b430e --- /dev/null +++ b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7fd9e863079f9937ca4c9fa5208fc69600f3206599388e2d006b3568b982c7bb +size 4160 diff --git a/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml new file mode 100644 index 000000000..6782dd4fe --- /dev/null +++ b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 632f631d-6d62-4bc6-8b6b-c51a9134a016 +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing attempts to enumerate system information.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1082 diff --git a/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.log b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.log new file mode 100644 index 000000000..a41766973 --- /dev/null +++ b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d1676c13cb085999a21651b71e4e683c3c705af1378153a91472812e943e5d1c +size 770 diff --git a/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml new file mode 100644 index 000000000..e562742e6 --- /dev/null +++ b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 7ebe0ae9-792a-4da1-aa7d-b338db54edfc +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing account manipulation of esxi account with malicious intent.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_account_modified/esxi_account_modified.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1098/ diff --git a/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log new file mode 100644 index 000000000..7f9ae362c --- /dev/null +++ b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:07eddeb84bba145ac2345c65744f2017dd8b0873312576787ce072dec2ca2aa5 +size 306 diff --git a/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml new file mode 100644 index 000000000..ba8682d40 --- /dev/null +++ b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 6957528c-1167-469f-a982-d03dea0ff09e +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing account manipulation of esxi account to give it the admin role.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1098/ diff --git a/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log new file mode 100644 index 000000000..febb2407d --- /dev/null +++ b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:19f8cb2e6f07b840f59333038e4c9ebf358104e8088be0c85497c711dab78e22 +size 5255 diff --git a/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml new file mode 100644 index 000000000..575295697 --- /dev/null +++ b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 5c239f0f-ec10-4107-b6a0-c9228257e4b1 +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing an ssh brute force attempt against an ESXi server.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1110 diff --git a/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log new file mode 100644 index 000000000..967acb559 --- /dev/null +++ b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:137f78ea3cb76f7b5a2545b7f9b7b3d46e305f931fa4f2042af1539fd0091eff +size 4484 diff --git a/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml new file mode 100644 index 000000000..48f62eaf5 --- /dev/null +++ b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 61568617-ad53-4998-b9aa-88d4114f5330 +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing attempted forced installation of malicious VIBs' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1505/006 diff --git a/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log new file mode 100644 index 000000000..c4b14499f --- /dev/null +++ b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:258f5f3a6a43b615b162fac10b865bfdf75ab450c4735437b4d81d5ab8f17534 +size 1073 diff --git a/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml new file mode 100644 index 000000000..a15f7cb4e --- /dev/null +++ b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 2bbe8c66-7262-4e13-b9a0-9d521e5d6305 +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing commands used for bulk termination of VMs.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1529 diff --git a/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log new file mode 100644 index 000000000..6fe19a62f --- /dev/null +++ b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b2878648d405d9320c50e4807c0de17de4a32e7a982f56280d0e165b4a3c95fd +size 1258 diff --git a/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml new file mode 100644 index 000000000..db546b466 --- /dev/null +++ b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 1ca23917-04c2-41db-b31b-702bcd728737 +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing tampering of audit settings.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1562/003 diff --git a/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log new file mode 100644 index 000000000..23047f790 --- /dev/null +++ b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:24a0ba17de262a72d7ba21c8439b13e8e555deedc6fd7f284c761022d41e8383 +size 606 diff --git a/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml new file mode 100644 index 000000000..fe658dec0 --- /dev/null +++ b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 125f03ca-3a22-4bf7-bb02-4abd338b326e +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing attempts to modify the loghost configuration.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1562/003 diff --git a/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log new file mode 100644 index 000000000..b91eb50d5 --- /dev/null +++ b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:699f09e84adb22f488ace9675c06d1ff65e81623425c7d817aeb57e9223e9647 +size 172 diff --git a/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml new file mode 100644 index 000000000..b0ca5dff3 --- /dev/null +++ b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: c012bd08-cbdb-49b6-9a0d-acd51b1f1cca +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing attempts to modify the syslog configuration.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1562/003 diff --git a/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log new file mode 100644 index 000000000..486da1e46 --- /dev/null +++ b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dff7f7bf4bf7cc798184c3e2aab328a4291fc0c1dbc423185a49f40684d3e1a8 +size 286 diff --git a/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml new file mode 100644 index 000000000..4cc5936b1 --- /dev/null +++ b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 39edc074-9898-4de9-8296-45c51b7e18dd +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing attempts to disable the firewall.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1562/004 diff --git a/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log new file mode 100644 index 000000000..8a3ba26e4 --- /dev/null +++ b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0e2ff09e1ad025b09d3b1f1f69f27b0c3f7f8c5d9cb803f0509de7d1c932b943 +size 1878 diff --git a/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml new file mode 100644 index 000000000..66eed2c50 --- /dev/null +++ b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 05d39cf3-abd8-46e3-b775-88935c28fffc +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing ESXi encryption settings being modified to impair defenses.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1562 diff --git a/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log new file mode 100644 index 000000000..1d0a75997 --- /dev/null +++ b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:12ece619eeada18020899ecefca2ba28eea5a5c5fe32b3640f5c368ab8d80058 +size 945 diff --git a/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml new file mode 100644 index 000000000..72887f93f --- /dev/null +++ b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 98448462-9f32-47ef-ac24-844bb1c0f1c0 +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing ESXi lockdown settings being modified to impair defenses.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1562 diff --git a/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log new file mode 100644 index 000000000..c475cfab3 --- /dev/null +++ b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46512a7a1a48a1efb3f2237de5911be86b61909cb9749efcbc264af28b967f5d +size 951 diff --git a/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml new file mode 100644 index 000000000..1c4f027ef --- /dev/null +++ b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 2440ce36-e445-4b34-8591-12afd1f8c884 +date: '2025-07-09' +description: 'Sample of ESXi syslog events showing modification to ESXi VIB acceptance levels." +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1562 diff --git a/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log new file mode 100644 index 000000000..748030d15 --- /dev/null +++ b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d5e13c41d408677bde3f4b838e255806dd2380393ae7276b27ddee301619a657 +size 2396 diff --git a/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml new file mode 100644 index 000000000..9d7b9c3b1 --- /dev/null +++ b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: a398a202-5b62-4043-9286-647fde220dca +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing dormant VMs being activated.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1584 diff --git a/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log new file mode 100644 index 000000000..c16b9889b --- /dev/null +++ b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:26ac5d8afa9fe98c0a7b125d923252ed90fc7e3bd77f000caf13807e5c7736c1 +size 5333 diff --git a/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml new file mode 100644 index 000000000..261e8853e --- /dev/null +++ b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: 39edc074-9898-4de9-8296-45c51b7e18dd +date: '2025-07-08' +description: 'Sample of ESXi syslog events showing failed attempts to install malicious VIBs.' +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1601/001 diff --git a/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log new file mode 100644 index 000000000..68e85d22f --- /dev/null +++ b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eedcd884130ddbdafcf0df25c8d7366b782ec79aa3636f463f2c0ca9b0d320f9 +size 1743 diff --git a/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml new file mode 100644 index 000000000..0a876e68e --- /dev/null +++ b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml @@ -0,0 +1,11 @@ +author: Raven Tait, Splunk +id: d3f26d3a-3ae5-4e3d-a9b3-567622b6fb1d +date: '2025-07-09' +description: 'Sample of ESXi syslog events VM discovery commands." +environment: custom +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log +sourcetypes: +- vmw-syslog +references: +- https://attack.mitre.org/techniques/T1673