diff --git a/datasets/attack_techniques/T1014/snapattack/snapattack.yml b/datasets/attack_techniques/T1014/snapattack/snapattack.yml new file mode 100644 index 00000000..4233c88b --- /dev/null +++ b/datasets/attack_techniques/T1014/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 552e13f8-267f-4a91-a56f-9209ab4e2f1f +date: '2026-04-20' +description: Generated datasets for Linux Evidence of BPFdoor implant - creation of + known lockfiles in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1014 +datasets: +- name: snapattack + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1014/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1014/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1014/snapattack/snapattack_linux.log new file mode 100644 index 00000000..5edb10f1 --- /dev/null +++ b/datasets/attack_techniques/T1014/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d4e26a8daf0571d3cf218dc3157161414faac7dac641a12354b3df35bff42cf1 +size 950 diff --git a/datasets/attack_techniques/T1021.004/snapattack/snapattack.yml b/datasets/attack_techniques/T1021.004/snapattack/snapattack.yml index 3fe95c18..555564f4 100644 --- a/datasets/attack_techniques/T1021.004/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1021.004/snapattack/snapattack.yml @@ -11,3 +11,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Security path: /datasets/attack_techniques/T1021.004/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1021.004/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1021.004/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1021.004/snapattack/snapattack_linux.log new file mode 100644 index 00000000..004d5b3a --- /dev/null +++ b/datasets/attack_techniques/T1021.004/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a12e30866bb511ec6d3817f616bc3cd1dc33b2efc291b7b035da4275c8c29eba +size 1675 diff --git a/datasets/attack_techniques/T1033/snapattack/snapattack.yml b/datasets/attack_techniques/T1033/snapattack/snapattack.yml index 2f7864f4..7f4c8335 100644 --- a/datasets/attack_techniques/T1033/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1033/snapattack/snapattack.yml @@ -11,3 +11,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Security path: /datasets/attack_techniques/T1033/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1033/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1033/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1033/snapattack/snapattack_linux.log new file mode 100644 index 00000000..19b77fe2 --- /dev/null +++ b/datasets/attack_techniques/T1033/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aab118f8742cc2fb7895dd531034e5ac436081ebba31d30f5f654d98ff68b2e1 +size 9007 diff --git a/datasets/attack_techniques/T1036.004/snapattack/snapattack.yml b/datasets/attack_techniques/T1036.004/snapattack/snapattack.yml new file mode 100644 index 00000000..760372d0 --- /dev/null +++ b/datasets/attack_techniques/T1036.004/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: bf223b24-4cb9-44aa-b43d-63c5d564355a +date: '2026-04-20' +description: Generated datasets for Linux GobRAT Malware Execution in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1036.004 +datasets: +- name: snapattack + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1036.004/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1036.004/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1036.004/snapattack/snapattack_linux.log new file mode 100644 index 00000000..832e487c --- /dev/null +++ b/datasets/attack_techniques/T1036.004/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:01df66c08bbff373951b6bce7d80390d6294f1672e7e70e8aa92f12aa3e68fc4 +size 1553 diff --git a/datasets/attack_techniques/T1036/snapattack/snapattack.yml b/datasets/attack_techniques/T1036/snapattack/snapattack.yml index 51f046b5..b3ae74fc 100644 --- a/datasets/attack_techniques/T1036/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1036/snapattack/snapattack.yml @@ -12,3 +12,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational path: /datasets/attack_techniques/T1036/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1036/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1036/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1036/snapattack/snapattack_linux.log new file mode 100644 index 00000000..cb16781e --- /dev/null +++ b/datasets/attack_techniques/T1036/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:15b880706f6e080fd652fd6fc47bd8d458859b001eca77ef86d6191a3420409c +size 2837 diff --git a/datasets/attack_techniques/T1037.005/snapattack/snapattack.yml b/datasets/attack_techniques/T1037.005/snapattack/snapattack.yml index 3dfc5952..b72be79b 100644 --- a/datasets/attack_techniques/T1037.005/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1037.005/snapattack/snapattack.yml @@ -12,3 +12,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational path: /datasets/attack_techniques/T1037.005/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1037.005/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1037.005/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1037.005/snapattack/snapattack_linux.log new file mode 100644 index 00000000..d5600d6c --- /dev/null +++ b/datasets/attack_techniques/T1037.005/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9333c80d65744e3fe327a8531caebec80ee02e92769e6db8e0a335341f420a48 +size 959 diff --git a/datasets/attack_techniques/T1059.004/snapattack/snapattack.yml b/datasets/attack_techniques/T1059.004/snapattack/snapattack.yml new file mode 100644 index 00000000..89f881cf --- /dev/null +++ b/datasets/attack_techniques/T1059.004/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: be7db117-e5ac-4cfa-a0fd-9784f0f937bf +date: '2026-04-20' +description: Generated datasets for Linux Netcat Outbound Connection in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1059.004 +datasets: +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1059.004/snapattack/snapattack_linux.log \ No newline at end of file diff --git a/datasets/attack_techniques/T1059.004/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1059.004/snapattack/snapattack_linux.log new file mode 100644 index 00000000..5a1840f4 --- /dev/null +++ b/datasets/attack_techniques/T1059.004/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9f3396fccefec9d9db47bdf83e0d8988fe8865a0cfa3fa1f7a8e25a3a5d4fdc7 +size 4404 diff --git a/datasets/attack_techniques/T1059/snapattack/snapattack.yml b/datasets/attack_techniques/T1059/snapattack/snapattack.yml index ec512f5b..3a50d587 100644 --- a/datasets/attack_techniques/T1059/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1059/snapattack/snapattack.yml @@ -12,3 +12,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational path: /datasets/attack_techniques/T1059/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1059/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1059/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1059/snapattack/snapattack_linux.log new file mode 100644 index 00000000..d4c6760c --- /dev/null +++ b/datasets/attack_techniques/T1059/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0d94f272bdc0b9ae4baf1c303051f2ab947e4947ebf834f6da76221eade34e1a +size 1733 diff --git a/datasets/attack_techniques/T1068/snapattack/snapattack.yml b/datasets/attack_techniques/T1068/snapattack/snapattack.yml index a523f262..9d4ee433 100644 --- a/datasets/attack_techniques/T1068/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1068/snapattack/snapattack.yml @@ -12,3 +12,8 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Security path: /datasets/attack_techniques/T1068/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1068/snapattack/snapattack_linux.log + diff --git a/datasets/attack_techniques/T1068/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1068/snapattack/snapattack_linux.log new file mode 100644 index 00000000..ccd11f4d --- /dev/null +++ b/datasets/attack_techniques/T1068/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67471b83be710c3d7f4b9f72e1ef86bae3a8b6132a8bd1b7bd7bd7084372410e +size 5970 diff --git a/datasets/attack_techniques/T1082/snapattack/snapattack.yml b/datasets/attack_techniques/T1082/snapattack/snapattack.yml index 3bdc8938..1423ff2a 100644 --- a/datasets/attack_techniques/T1082/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1082/snapattack/snapattack.yml @@ -12,3 +12,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational path: /datasets/attack_techniques/T1082/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1082/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1082/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1082/snapattack/snapattack_linux.log new file mode 100644 index 00000000..6b6181b1 --- /dev/null +++ b/datasets/attack_techniques/T1082/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cdeb4447e9d6f5671689bb5d3105979b12d716becbbc40fcd674219d9036ef6e +size 1568 diff --git a/datasets/attack_techniques/T1098/snapattack/snapattack.yml b/datasets/attack_techniques/T1098/snapattack/snapattack.yml new file mode 100644 index 00000000..c0d6a08e --- /dev/null +++ b/datasets/attack_techniques/T1098/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 7534d45a-1766-49a3-9c51-2c67af3919da +date: '2026-04-20' +description: Generated datasets for Linux Usermod Root UID Set in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1098 +datasets: +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1098/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1098/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1098/snapattack/snapattack_linux.log new file mode 100644 index 00000000..5f1c5415 --- /dev/null +++ b/datasets/attack_techniques/T1098/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0dcb6b850a20047d18c508743aa2986fbdbf6cc49c224415312bb0c5cc19aa04 +size 1654 diff --git a/datasets/attack_techniques/T1102/snapattack/snapattack.yml b/datasets/attack_techniques/T1102/snapattack/snapattack.yml new file mode 100644 index 00000000..968905b9 --- /dev/null +++ b/datasets/attack_techniques/T1102/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: a1eede05-8cac-4d11-8b09-95f4a7205db0 +date: '2026-04-20' +description: Generated datasets for Linux Suspicious Splunk Process (Linux) in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1102 +datasets: +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1102/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1102/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1102/snapattack/snapattack_linux.log new file mode 100644 index 00000000..e0125752 --- /dev/null +++ b/datasets/attack_techniques/T1102/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8975ca62f06e9d52cf37e1c1190aa88a5d9e65b8f19f7cfb7a318e4e95675477 +size 1815 diff --git a/datasets/attack_techniques/T1129/snapattack/snapattack.yml b/datasets/attack_techniques/T1129/snapattack/snapattack.yml index 324ebead..261cabb7 100644 --- a/datasets/attack_techniques/T1129/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1129/snapattack/snapattack.yml @@ -11,3 +11,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational path: /datasets/attack_techniques/T1129/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1129/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1129/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1129/snapattack/snapattack_linux.log new file mode 100644 index 00000000..26fec0c1 --- /dev/null +++ b/datasets/attack_techniques/T1129/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7be8bd781fc1b559dfd7a49ff3b9119081c9a59a2e114e5cd520c06ae792d059 +size 1739 diff --git a/datasets/attack_techniques/T1190/snapattack/snapattack.yml b/datasets/attack_techniques/T1190/snapattack/snapattack.yml index 03e4b606..f083f697 100644 --- a/datasets/attack_techniques/T1190/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1190/snapattack/snapattack.yml @@ -12,3 +12,8 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational path: /datasets/attack_techniques/T1190/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1190/snapattack/snapattack_linux.log + diff --git a/datasets/attack_techniques/T1190/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1190/snapattack/snapattack_linux.log new file mode 100644 index 00000000..098c0f98 --- /dev/null +++ b/datasets/attack_techniques/T1190/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a0b799e30cf4d85683ec737b7815309977e13a5481693005b7b628311bd409d +size 5830 diff --git a/datasets/attack_techniques/T1204.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1204.002/snapattack/snapattack.yml index 20a6b50c..d829b3a9 100644 --- a/datasets/attack_techniques/T1204.002/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1204.002/snapattack/snapattack.yml @@ -12,3 +12,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Security path: /datasets/attack_techniques/T1204.002/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1204.002/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1204.002/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1204.002/snapattack/snapattack_linux.log new file mode 100644 index 00000000..9cb4ab51 --- /dev/null +++ b/datasets/attack_techniques/T1204.002/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea774ed63ac05cee170aa7655e47bf4a8e5b0709a52f946076c7ceac4270f2d5 +size 1668 diff --git a/datasets/attack_techniques/T1505/snapattack/snapattack.yml b/datasets/attack_techniques/T1505/snapattack/snapattack.yml index bc9cb517..1de1eea5 100644 --- a/datasets/attack_techniques/T1505/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1505/snapattack/snapattack.yml @@ -12,3 +12,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational path: /datasets/attack_techniques/T1505/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1505/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1505/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1505/snapattack/snapattack_linux.log new file mode 100644 index 00000000..6579618c --- /dev/null +++ b/datasets/attack_techniques/T1505/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29c6f506d96ae91a452b935c1c619891d006f7123f7ee27e94265ef67cae31d4 +size 1561 diff --git a/datasets/attack_techniques/T1542/snapattack/snapattack.yml b/datasets/attack_techniques/T1542/snapattack/snapattack.yml new file mode 100644 index 00000000..5ba6f08a --- /dev/null +++ b/datasets/attack_techniques/T1542/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: e55d922f-209d-4461-97fb-2578bd8d7620 +date: '2026-04-20' +description: Generated datasets for Linux EFI Bootloader File Deletion in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1542 +datasets: +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1542/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1542/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1542/snapattack/snapattack_linux.log new file mode 100644 index 00000000..7aed2a57 --- /dev/null +++ b/datasets/attack_techniques/T1542/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b9448b6a73fcfd36a00c86e4030556296adb9f48273bfdc077629c1c1191ec4e +size 2598 diff --git a/datasets/attack_techniques/T1543.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1543.002/snapattack/snapattack.yml new file mode 100644 index 00000000..63fdf189 --- /dev/null +++ b/datasets/attack_techniques/T1543.002/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: aaab2742-a782-4392-9332-6f68ad5ae804 +date: '2026-04-20' +description: Generated datasets for Linux Service Enabled from Web Directory in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1543.002 +datasets: +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1543.002/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1543.002/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1543.002/snapattack/snapattack_linux.log new file mode 100644 index 00000000..7172e469 --- /dev/null +++ b/datasets/attack_techniques/T1543.002/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d505a25887c89d3443c230ffe595e63140cc1cbf4d60442450d9b0153adf7d1e +size 1529 diff --git a/datasets/attack_techniques/T1547/snapattack/snapattack.yml b/datasets/attack_techniques/T1547/snapattack/snapattack.yml new file mode 100644 index 00000000..202ae1be --- /dev/null +++ b/datasets/attack_techniques/T1547/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: b13a41f8-265d-453b-8cbf-d61f7baf6d10 +date: '2026-04-20' +description: Generated datasets for Linux MOTD Script Added in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1547 +datasets: +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1547/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1547/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1547/snapattack/snapattack_linux.log new file mode 100644 index 00000000..5d9fa2b3 --- /dev/null +++ b/datasets/attack_techniques/T1547/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d87c0186e4e1894688f1bf1731ffbb9ee9b31c1752e7e143a817c8dc4e94530f +size 2870 diff --git a/datasets/attack_techniques/T1548.003/snapattack/snapattack.yml b/datasets/attack_techniques/T1548.003/snapattack/snapattack.yml new file mode 100644 index 00000000..c3642a24 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: c4e07887-757f-4e28-beb0-bb7383d8ad2b +date: '2026-04-20' +description: Generated datasets for Linux Suspicious Sudo Parameter in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1548.003 +datasets: +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1548.003/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1548.003/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1548.003/snapattack/snapattack_linux.log new file mode 100644 index 00000000..3910d326 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c3932407b5f0959ed2344d7bb3ffc59151fd7b1ddc31aac512c35f54567e6647 +size 1675 diff --git a/datasets/attack_techniques/T1552.003/snapattack/snapattack.yml b/datasets/attack_techniques/T1552.003/snapattack/snapattack.yml new file mode 100644 index 00000000..e14126a9 --- /dev/null +++ b/datasets/attack_techniques/T1552.003/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 1c980891-b00d-4076-ab9c-6854a1de7517 +date: '2026-04-20' +description: Generated datasets for Linux Bash History Access in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1552.003 +datasets: +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1552.003/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1552.003/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1552.003/snapattack/snapattack_linux.log new file mode 100644 index 00000000..ed902b81 --- /dev/null +++ b/datasets/attack_techniques/T1552.003/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cebc0e6cbce9f2aee6eceea00249c6db1700ce60b2ec5a20ce6e95f5242fe96d +size 4767 diff --git a/datasets/attack_techniques/T1608/snapattack/snapattack.yml b/datasets/attack_techniques/T1608/snapattack/snapattack.yml index 26682221..d8867bed 100644 --- a/datasets/attack_techniques/T1608/snapattack/snapattack.yml +++ b/datasets/attack_techniques/T1608/snapattack/snapattack.yml @@ -11,3 +11,7 @@ datasets: sourcetype: XmlWinEventLog source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational path: /datasets/attack_techniques/T1608/snapattack/snaattack.log +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1608/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1608/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1608/snapattack/snapattack_linux.log new file mode 100644 index 00000000..7b1ea8dd --- /dev/null +++ b/datasets/attack_techniques/T1608/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:500535ab7f86c1028716f509450cf8ee1aeb1c69434daf913076a976d679d8a4 +size 1640 diff --git a/datasets/attack_techniques/T1610/snapattack/snapattack.yml b/datasets/attack_techniques/T1610/snapattack/snapattack.yml new file mode 100644 index 00000000..273a9717 --- /dev/null +++ b/datasets/attack_techniques/T1610/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: d49a676c-491e-4165-94bb-1d0e4fb1f5d0 +date: '2026-04-20' +description: Generated datasets for Linux Suspicious Docker Build in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1610 +datasets: +- name: snapattack_linux + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational + path: /datasets/attack_techniques/T1610/snapattack/snapattack_linux.log diff --git a/datasets/attack_techniques/T1610/snapattack/snapattack_linux.log b/datasets/attack_techniques/T1610/snapattack/snapattack_linux.log new file mode 100644 index 00000000..57e93261 --- /dev/null +++ b/datasets/attack_techniques/T1610/snapattack/snapattack_linux.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a19e535401e2f18a66f388dfe1331fa6dacfc9e9622d252fea5529f6e19b8c7e +size 3379