Skip to content
Re-play Adversarial Techniques
Python Shell PowerShell
Branch: master
Clone or download
Cyb3rWard0g Updated docs
Latest commit 19b8cba Oct 15, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Updated docs Oct 15, 2019
large_datasets/apt3 Update May 15, 2019
scripts Update Jun 25, 2019
small_datasets/windows Moving DPAPI Master Key Dataset to AD folder Sep 23, 2019
.gitignore Update .gitignore Jul 25, 2019 Update May 19, 2019
LICENSE Update LICENSE Sep 22, 2018 Added Domain Users Scripts Sep 16, 2019

Mordor Gates


The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.

The name Mordor comes from the awesome book/film series "The Lord of the Rings", and it was a place where the evil forces of Sauron lived. This repository is where data generated by known "malicious" adversarial activity lives, hence the name of the project.


  • Provide free portable malicious datasets to expedite the development of data analytics.
  • Facilitate adversarial techniques simulation and output consumption.
  • Allow security analysts to test their skills with real known bad data.
  • Improve the testing of hunting use cases and data analytics in an easier and more affordable way.
  • Enable data scientists to have semi-labeled data for initial research.
  • Map threat hunter playbooks to their respective pre-recorded data for validation purposes.
  • Contribute to the ATT&CK framework Data Sources section of each technique and sub-technique.
  • Ingest known bad data samples for training and capture the flag (CTF) events.
  • Learn more about red team simulation exercises and technology such as Kafkacat, Kafka and Jupyter Notebooks.

Getting Started

Projects Using Mordor



There are a few things that we would like to accomplish with this repo as shown in the To-Do list below. Share your pre-recorded data with us following our same setup (working on a standard setup..), and help others in the Cyber community to validate their detection use cases in a faster and easier way.

License: GPL-3.0

Mordor's GNU General Public License


  • Dynamically generate mordor datasets readme files in restructuredtext
  • Release environment scripts
  • Add OSquery to endpoints for Linux/macOS
  • Share Terraform & Packer config files to deploy the same environment in the cloud
  • Add a Bro sensor
  • Multiple custom network setup for contributions
  • Add toolsets to the Empire box inside of AWS configuratons
  • Prepare Large Dataset ;)
  • Logo

More coming soon...

You can’t perform that action at this time.