diff --git a/datasets/attack_techniques/T1001/snapattack/snapattack.log b/datasets/attack_techniques/T1001/snapattack/snapattack.log new file mode 100644 index 000000000..40c0623d9 --- /dev/null +++ b/datasets/attack_techniques/T1001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76c77dc261b4e0afc62ef81c33073eea8858b6626f946b1c7849af9d94b1c6dd +size 1949 diff --git a/datasets/attack_techniques/T1001/snapattack/snapattack.yml b/datasets/attack_techniques/T1001/snapattack/snapattack.yml new file mode 100644 index 000000000..d03e93377 --- /dev/null +++ b/datasets/attack_techniques/T1001/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 359d5738-ce1c-40f4-8360-d544dab6db59 +date: '2026-04-01' +description: Generated datasets for Windows String Manipulation Techniques in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1003.001/snapattack/snapattack.log b/datasets/attack_techniques/T1003.001/snapattack/snapattack.log new file mode 100644 index 000000000..763120bfa --- /dev/null +++ b/datasets/attack_techniques/T1003.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c22994ec5fa481609dfbb3403dc51d803cb1f0665d3aab29da8f5e8a9766f4af +size 58587 diff --git a/datasets/attack_techniques/T1003.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1003.001/snapattack/snapattack.yml new file mode 100644 index 000000000..7a72e8a08 --- /dev/null +++ b/datasets/attack_techniques/T1003.001/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 23bcd20e-abc1-43fa-bd6f-117cb360633e +date: '2026-04-01' +description: Generated datasets for Windows Evidence of LSASS Shtinkering - AppCrash + Reports in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1003.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1003.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1003.002/snapattack/snapattack.log b/datasets/attack_techniques/T1003.002/snapattack/snapattack.log new file mode 100644 index 000000000..d718a83e6 --- /dev/null +++ b/datasets/attack_techniques/T1003.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f19d2035e279d3a5faaf7ac2a18f71d296f965cbe6389f8a905806ba50565b02 +size 7063 diff --git a/datasets/attack_techniques/T1003.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1003.002/snapattack/snapattack.yml new file mode 100644 index 000000000..c7d32e738 --- /dev/null +++ b/datasets/attack_techniques/T1003.002/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: df5b874a-91f8-4eca-bf06-2570a6f7834b +date: '2026-04-01' +description: Generated datasets for Windows Usage of Mimikatz lsadump::sam module + (PoSh) in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1003.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1003.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1003.003/snapattack/snapattack.log b/datasets/attack_techniques/T1003.003/snapattack/snapattack.log new file mode 100644 index 000000000..eb63ef991 --- /dev/null +++ b/datasets/attack_techniques/T1003.003/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:50290b7f98c2059cb340a40c02fddc932a9815a1be32eef9074e839ae595ef4f +size 7772 diff --git a/datasets/attack_techniques/T1003.003/snapattack/snapattack.yml b/datasets/attack_techniques/T1003.003/snapattack/snapattack.yml new file mode 100644 index 000000000..df44560f3 --- /dev/null +++ b/datasets/attack_techniques/T1003.003/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 53065f7f-c068-4a10-8009-26bb81ba80f9 +date: '2026-04-01' +description: Generated datasets for Windows Explorer mounting a ntdsutil snapshot + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1003.003 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1003.003/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1003.004/snapattack/snapattack.log b/datasets/attack_techniques/T1003.004/snapattack/snapattack.log new file mode 100644 index 000000000..d706a32da --- /dev/null +++ b/datasets/attack_techniques/T1003.004/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ba0ba771f144bd9f8847a0e9e40e21d15b7e966d19d64031e408611da6608f6 +size 4872 diff --git a/datasets/attack_techniques/T1003.004/snapattack/snapattack.yml b/datasets/attack_techniques/T1003.004/snapattack/snapattack.yml new file mode 100644 index 000000000..3d1474a2a --- /dev/null +++ b/datasets/attack_techniques/T1003.004/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: e30f8af0-68c6-4d63-93f7-c835dee26282 +date: '2026-04-01' +description: Generated datasets for Windows Usage of Mimikatz lsadump::secrets module + (Sysmon) in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1003.004 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1003.004/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1003.005/snapattack/snapattack.log b/datasets/attack_techniques/T1003.005/snapattack/snapattack.log new file mode 100644 index 000000000..735a75d88 --- /dev/null +++ b/datasets/attack_techniques/T1003.005/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2146942c9b24429f5ae0444a8458dab6de6365c018c5c5e35bda3033e1a7b59 +size 1621 diff --git a/datasets/attack_techniques/T1003.005/snapattack/snapattack.yml b/datasets/attack_techniques/T1003.005/snapattack/snapattack.yml new file mode 100644 index 000000000..fbb5caba7 --- /dev/null +++ b/datasets/attack_techniques/T1003.005/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: a0c61c8d-b591-43ea-960e-e07c70908955 +date: '2026-04-01' +description: Generated datasets for Windows Usage of Mimikatz lsadump::cache module + (Sysmon) in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1003.005 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1003.005/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1003.006/snapattack/snapattack.log b/datasets/attack_techniques/T1003.006/snapattack/snapattack.log new file mode 100644 index 000000000..d4d0be8c6 --- /dev/null +++ b/datasets/attack_techniques/T1003.006/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56d382a7d08b2ac8ead211e8c6d98d86a722c903b88b6400ef82ec495575b998 +size 2992 diff --git a/datasets/attack_techniques/T1003.006/snapattack/snapattack.yml b/datasets/attack_techniques/T1003.006/snapattack/snapattack.yml new file mode 100644 index 000000000..ed474b253 --- /dev/null +++ b/datasets/attack_techniques/T1003.006/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: c662746c-b0c8-440e-b0a0-2ae243fdd61d +date: '2026-04-01' +description: Generated datasets for Windows Possible DCSync attack in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1003.006 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1003.006/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1003/snapattack/snapattack.log b/datasets/attack_techniques/T1003/snapattack/snapattack.log new file mode 100644 index 000000000..3b6b21cb4 --- /dev/null +++ b/datasets/attack_techniques/T1003/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3899a55d5c0a8df3b1bdafafe7bd6f2d40b44b7f8a8793eaddc456aed7973086 +size 1501 diff --git a/datasets/attack_techniques/T1003/snapattack/snapattack.yml b/datasets/attack_techniques/T1003/snapattack/snapattack.yml new file mode 100644 index 000000000..896f44a5f --- /dev/null +++ b/datasets/attack_techniques/T1003/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: b7b26034-912b-4cb5-9f7a-f1389e00a680 +date: '2026-04-01' +description: "Generated datasets for Windows Common credential dumpers in attack range." +environment: attack_range +directory: snapattack +mitre_technique: +- T1003 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1003/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1006/snapattack/snapattack.log b/datasets/attack_techniques/T1006/snapattack/snapattack.log new file mode 100644 index 000000000..34ed1abe5 --- /dev/null +++ b/datasets/attack_techniques/T1006/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44ae6a644b38392c39f0c906fd5967bd5a8626774f314a12971e1aba6f7f24a4 +size 2186 diff --git a/datasets/attack_techniques/T1006/snapattack/snapattack.yml b/datasets/attack_techniques/T1006/snapattack/snapattack.yml new file mode 100644 index 000000000..c4be28bbe --- /dev/null +++ b/datasets/attack_techniques/T1006/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 1588ea84-f7f1-4ed3-8d53-acba5c6a5c2d +date: '2026-04-01' +description: Generated datasets for Windows IsaacWiper DLL RawDiskRead in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1006 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1006/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1011/snapattack/snapattack.log b/datasets/attack_techniques/T1011/snapattack/snapattack.log new file mode 100644 index 000000000..144a22604 --- /dev/null +++ b/datasets/attack_techniques/T1011/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a48979d6fad5112a4bc1b26b61de7566955f1796b0db6a6dbc61b47b75c1fe39 +size 3292 diff --git a/datasets/attack_techniques/T1011/snapattack/snapattack.yml b/datasets/attack_techniques/T1011/snapattack/snapattack.yml new file mode 100644 index 000000000..409208ba7 --- /dev/null +++ b/datasets/attack_techniques/T1011/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 13356374-aa80-49d4-9e1e-10e0ed9a2093 +date: '2026-04-01' +description: Generated datasets for Windows Suspicious Program Location with Network + Connections in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1011 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1011/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1012/snapattack/snapattack.log b/datasets/attack_techniques/T1012/snapattack/snapattack.log new file mode 100644 index 000000000..0d4fb98ff --- /dev/null +++ b/datasets/attack_techniques/T1012/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:91458feb9804581bdddaf234f1d828ac75698436236201078574123de33d3a39 +size 1171 diff --git a/datasets/attack_techniques/T1012/snapattack/snapattack.yml b/datasets/attack_techniques/T1012/snapattack/snapattack.yml new file mode 100644 index 000000000..a0f87243b --- /dev/null +++ b/datasets/attack_techniques/T1012/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 24d12d67-7cba-4ee2-aadd-05a6a224064d +date: '2026-04-01' +description: Generated datasets for Windows Possible Turla Snake Malware via Covert + Store Registry Key in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1012 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1012/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1016.001/snapattack/snapattack.log b/datasets/attack_techniques/T1016.001/snapattack/snapattack.log new file mode 100644 index 000000000..9f282eb42 --- /dev/null +++ b/datasets/attack_techniques/T1016.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1453143417116af98384c0716ef92036931237a1dee2ba218bda774250e88359 +size 5030 diff --git a/datasets/attack_techniques/T1016.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1016.001/snapattack/snapattack.yml new file mode 100644 index 000000000..d00cb1e80 --- /dev/null +++ b/datasets/attack_techniques/T1016.001/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: a2887fd7-921d-4411-a338-8262c2f42a52 +date: '2026-04-01' +description: Generated datasets for Windows GoldFinder DNS Query in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1016.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1016.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1020/snapattack/snapattack.log b/datasets/attack_techniques/T1020/snapattack/snapattack.log new file mode 100644 index 000000000..4d4e68759 --- /dev/null +++ b/datasets/attack_techniques/T1020/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3e43d19ba5aaffbeb7e7a9249a56e58032234e0d0bdf4f074ecd147ef23ee00d +size 2712 diff --git a/datasets/attack_techniques/T1020/snapattack/snapattack.yml b/datasets/attack_techniques/T1020/snapattack/snapattack.yml new file mode 100644 index 000000000..029001c3a --- /dev/null +++ b/datasets/attack_techniques/T1020/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: bd2aeef0-e309-41aa-8e46-7ebf9cf226be +date: '2026-04-01' +description: Generated datasets for Windows Impacket Remote Temporary File Activity + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1020 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1020/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1021.002/snapattack/snapattack.log b/datasets/attack_techniques/T1021.002/snapattack/snapattack.log new file mode 100644 index 000000000..d4e1cb970 --- /dev/null +++ b/datasets/attack_techniques/T1021.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0186bcb28c10436a6207d024c5b0ac9f47dc847a198fcdfdee321e8e23b82cf5 +size 4514 diff --git a/datasets/attack_techniques/T1021.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1021.002/snapattack/snapattack.yml new file mode 100644 index 000000000..60aade8d0 --- /dev/null +++ b/datasets/attack_techniques/T1021.002/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 1d9993d2-f45e-409c-93aa-f83fac84756b +date: '2026-04-01' +description: Generated datasets for Windows CVE-2023-38146 (ThemeBleed) Exploitation + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1021.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1021.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1021.004/snapattack/snapattack.log b/datasets/attack_techniques/T1021.004/snapattack/snapattack.log new file mode 100644 index 000000000..58dde2a51 --- /dev/null +++ b/datasets/attack_techniques/T1021.004/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff4c18dcc3ca900ccd2231d21317913ce5d0cde61d6cd40a3832faba96f49adf +size 1462 diff --git a/datasets/attack_techniques/T1021.004/snapattack/snapattack.yml b/datasets/attack_techniques/T1021.004/snapattack/snapattack.yml new file mode 100644 index 000000000..3fe95c189 --- /dev/null +++ b/datasets/attack_techniques/T1021.004/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: cac19d26-abb2-4a44-88ac-8b78e0528e4c +date: '2026-04-01' +description: Generated datasets for Windows Putty suite in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1021.004 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1021.004/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1021/snapattack/snapattack.log b/datasets/attack_techniques/T1021/snapattack/snapattack.log new file mode 100644 index 000000000..23f4c67cc --- /dev/null +++ b/datasets/attack_techniques/T1021/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b49ad482812355bd9a577ffc88d41f3f06166ddad4b62980807a190d18eec5be +size 7762 diff --git a/datasets/attack_techniques/T1021/snapattack/snapattack.yml b/datasets/attack_techniques/T1021/snapattack/snapattack.yml new file mode 100644 index 000000000..68ae534b4 --- /dev/null +++ b/datasets/attack_techniques/T1021/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 3c2d473c-2cc8-465b-af06-a3361892740d +date: '2026-04-01' +description: Generated datasets for Windows Command Line Remote Services in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1021 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1021/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1022/snapattack/snapattack.log b/datasets/attack_techniques/T1022/snapattack/snapattack.log new file mode 100644 index 000000000..a0f8e0a63 --- /dev/null +++ b/datasets/attack_techniques/T1022/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:578ff20ab3ecc652b6afadfb4d88553b4c3dcedd6bc92f5badd88e7c72c298f5 +size 1226 diff --git a/datasets/attack_techniques/T1022/snapattack/snapattack.yml b/datasets/attack_techniques/T1022/snapattack/snapattack.yml new file mode 100644 index 000000000..e8ec70376 --- /dev/null +++ b/datasets/attack_techniques/T1022/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 67a6dbde-f352-4c16-8d31-546195a2f15b +date: '2026-04-01' +description: Generated datasets for Windows Suspicious Key Created in Root Directory + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1022 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1022/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1027.009/snapattack/snapattack.log b/datasets/attack_techniques/T1027.009/snapattack/snapattack.log new file mode 100644 index 000000000..bb77d7360 --- /dev/null +++ b/datasets/attack_techniques/T1027.009/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9a16074e4462f8414ec8e0572d94a7844fc637ee654f62d2cf809a271833fab6 +size 1521 diff --git a/datasets/attack_techniques/T1027.009/snapattack/snapattack.yml b/datasets/attack_techniques/T1027.009/snapattack/snapattack.yml new file mode 100644 index 000000000..e71fe8584 --- /dev/null +++ b/datasets/attack_techniques/T1027.009/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: fed6ef80-21ff-48c8-8e52-614b774ef17b +date: '2026-04-01' +description: Generated datasets for Windows Possible Turla Snake Malware Installer + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1027.009 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1027.009/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1027.010/snapattack/snapattack.log b/datasets/attack_techniques/T1027.010/snapattack/snapattack.log new file mode 100644 index 000000000..ccda573da --- /dev/null +++ b/datasets/attack_techniques/T1027.010/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a0a8f8039cb556c2a83488145de3a203227a4d4b9228af3ca2996c4e7b4c341c +size 5657 diff --git a/datasets/attack_techniques/T1027.010/snapattack/snapattack.yml b/datasets/attack_techniques/T1027.010/snapattack/snapattack.yml new file mode 100644 index 000000000..fbc373afb --- /dev/null +++ b/datasets/attack_techniques/T1027.010/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 6fa1cd43-1106-466c-a2e4-cf254277ab62 +date: '2026-04-01' +description: Generated datasets for Windows Command Obfuscation with Environment Variable + Substrings in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1027.010 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1027.010/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1027/snapattack/snapattack.log b/datasets/attack_techniques/T1027/snapattack/snapattack.log new file mode 100644 index 000000000..9ccdfe246 --- /dev/null +++ b/datasets/attack_techniques/T1027/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:77777d024fd535de1a50cbcebcc73a02afe1e6ba8a4b7b849272a3d9c1a0b57b +size 4935 diff --git a/datasets/attack_techniques/T1027/snapattack/snapattack.yml b/datasets/attack_techniques/T1027/snapattack/snapattack.yml new file mode 100644 index 000000000..ae41a2a78 --- /dev/null +++ b/datasets/attack_techniques/T1027/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: f7e0f1ec-2f22-47c8-8e13-59f521c08829 +date: '2026-04-01' +description: Generated datasets for Windows Possible Nuitka Artifacts in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1027 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1027/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1030/snapattack/snapattack.log b/datasets/attack_techniques/T1030/snapattack/snapattack.log new file mode 100644 index 000000000..06df74a0d --- /dev/null +++ b/datasets/attack_techniques/T1030/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:327f4f83c82b1d2af0c53ce51ada507f155a1e2d196383928b56586d2a3a9340 +size 2666 diff --git a/datasets/attack_techniques/T1030/snapattack/snapattack.yml b/datasets/attack_techniques/T1030/snapattack/snapattack.yml new file mode 100644 index 000000000..2c5c4490f --- /dev/null +++ b/datasets/attack_techniques/T1030/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 610dfbc6-0ce6-4a13-b500-251775f4fc39 +date: '2026-04-01' +description: Generated datasets for Windows MagicCopy in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1030 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1030/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1033/snapattack/snapattack.log b/datasets/attack_techniques/T1033/snapattack/snapattack.log new file mode 100644 index 000000000..0f1223c44 --- /dev/null +++ b/datasets/attack_techniques/T1033/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4e7a48a77c0af4d7a100596639916f9e0cd1c20d1e9628d43293c3c012f7fcb5 +size 6055 diff --git a/datasets/attack_techniques/T1033/snapattack/snapattack.yml b/datasets/attack_techniques/T1033/snapattack/snapattack.yml new file mode 100644 index 000000000..2f7864f43 --- /dev/null +++ b/datasets/attack_techniques/T1033/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 1ea06ecf-1423-4f00-a3b0-66bc2be38008 +date: '2026-04-01' +description: Generated datasets for Windows Discovery Via Dsregcmd in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1033 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1033/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1036.005/snapattack/snapattack.log b/datasets/attack_techniques/T1036.005/snapattack/snapattack.log new file mode 100644 index 000000000..38177d370 --- /dev/null +++ b/datasets/attack_techniques/T1036.005/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:88ef882651291f8bd41f12437b0b5691b92815da364d31a4971275713e50c71b +size 4840 diff --git a/datasets/attack_techniques/T1036.005/snapattack/snapattack.yml b/datasets/attack_techniques/T1036.005/snapattack/snapattack.yml new file mode 100644 index 000000000..41164f5c7 --- /dev/null +++ b/datasets/attack_techniques/T1036.005/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: acb07b81-669a-4f31-b669-737136025702 +date: '2026-04-01' +description: Generated datasets for Windows Hook Created by Git.exe in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1036.005 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1036.005/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1036/snapattack/snapattack.log b/datasets/attack_techniques/T1036/snapattack/snapattack.log new file mode 100644 index 000000000..9d908f834 --- /dev/null +++ b/datasets/attack_techniques/T1036/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72127066f1135b2f18f685d413df3090059045bbbc95ea9e6d0ade61c643fe2d +size 5504 diff --git a/datasets/attack_techniques/T1036/snapattack/snapattack.yml b/datasets/attack_techniques/T1036/snapattack/snapattack.yml new file mode 100644 index 000000000..51f046b50 --- /dev/null +++ b/datasets/attack_techniques/T1036/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: de014240-7568-4868-972a-70a934ee8ade +date: '2026-04-01' +description: Generated datasets for Windows Possible MagicDot Exploitation in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1036 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1036/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1037.005/snapattack/snapattack.log b/datasets/attack_techniques/T1037.005/snapattack/snapattack.log new file mode 100644 index 000000000..7663e9ccf --- /dev/null +++ b/datasets/attack_techniques/T1037.005/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:55b30f601f8151c986ccb2d7fe9610862d218a5ef8af6e138646690ead387cb6 +size 2260 diff --git a/datasets/attack_techniques/T1037.005/snapattack/snapattack.yml b/datasets/attack_techniques/T1037.005/snapattack/snapattack.yml new file mode 100644 index 000000000..3dfc59523 --- /dev/null +++ b/datasets/attack_techniques/T1037.005/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: c03df1ca-587c-447b-8a4b-30a5eabd7b3f +date: '2026-04-01' +description: Generated datasets for Windows Powershell Writing Roaming Credential + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1037.005 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1037.005/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1047/snapattack/snapattack.log b/datasets/attack_techniques/T1047/snapattack/snapattack.log new file mode 100644 index 000000000..2e9b3cf55 --- /dev/null +++ b/datasets/attack_techniques/T1047/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bb44e5f8b7542016c841c9e7ea62587555081aa55c4be541816db85fc35b8829 +size 2492 diff --git a/datasets/attack_techniques/T1047/snapattack/snapattack.yml b/datasets/attack_techniques/T1047/snapattack/snapattack.yml new file mode 100644 index 000000000..a75612968 --- /dev/null +++ b/datasets/attack_techniques/T1047/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 40e76f02-222e-4029-9d6d-e8f0306e5fc0 +date: '2026-04-01' +description: Generated datasets for Windows Creation of WBEM\CIMOM registry subkeys + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1047 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1047/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1053/snapattack/snapattack.log b/datasets/attack_techniques/T1053/snapattack/snapattack.log new file mode 100644 index 000000000..3f2abb786 --- /dev/null +++ b/datasets/attack_techniques/T1053/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8fcc153057fefca8224112ee9d784fd03f5d5560e4bf588f6b97590d35ee2491 +size 9734 diff --git a/datasets/attack_techniques/T1053/snapattack/snapattack.yml b/datasets/attack_techniques/T1053/snapattack/snapattack.yml new file mode 100644 index 000000000..dc57ae3c2 --- /dev/null +++ b/datasets/attack_techniques/T1053/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 74c3a1f2-1b0c-4b9a-a9c6-5005fefe8f02 +date: '2026-04-01' +description: Generated datasets for Windows Impacket AtExec Process Activity in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1053 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1053/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1055/snapattack/snapattack.log b/datasets/attack_techniques/T1055/snapattack/snapattack.log new file mode 100644 index 000000000..c488d0397 --- /dev/null +++ b/datasets/attack_techniques/T1055/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7603987a40563049d740b06f169b4f2dd9f1d9258abd445136ba1751a83cce98 +size 11610 diff --git a/datasets/attack_techniques/T1055/snapattack/snapattack.yml b/datasets/attack_techniques/T1055/snapattack/snapattack.yml new file mode 100644 index 000000000..ac109ca6f --- /dev/null +++ b/datasets/attack_techniques/T1055/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: f56f382b-a2a9-49c9-bb19-54a595b0a8e3 +date: '2026-04-01' +description: Generated datasets for Windows Mavinject Process Injection via RemoteThread + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1055 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1055/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1057/snapattack/snapattack.log b/datasets/attack_techniques/T1057/snapattack/snapattack.log new file mode 100644 index 000000000..a7caee046 --- /dev/null +++ b/datasets/attack_techniques/T1057/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:af0454d0d568c08b26f9ab137af8d78cf2f46d347ba804271e18891aa05d12fa +size 38286 diff --git a/datasets/attack_techniques/T1057/snapattack/snapattack.yml b/datasets/attack_techniques/T1057/snapattack/snapattack.yml new file mode 100644 index 000000000..b6bd5007f --- /dev/null +++ b/datasets/attack_techniques/T1057/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 88cd73c7-d48c-4782-8ecc-d00c0ee4f569 +date: '2026-04-01' +description: Generated datasets for Windows Process Discovery with Get-WmiObject in + attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1057 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1057/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1059.001/snapattack/snapattack.log b/datasets/attack_techniques/T1059.001/snapattack/snapattack.log new file mode 100644 index 000000000..ee11130ed --- /dev/null +++ b/datasets/attack_techniques/T1059.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:032234c9d1c8f150fac1b4047dd1dbb8018ae77e5a4f5796c05edf9f3cc68d4d +size 136185 diff --git a/datasets/attack_techniques/T1059.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1059.001/snapattack/snapattack.yml new file mode 100644 index 000000000..b66a17090 --- /dev/null +++ b/datasets/attack_techniques/T1059.001/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 8e9835ec-c311-4b45-b4cc-9b55f23ee84e +date: '2026-04-01' +description: Generated datasets for Windows Cobalt Strike Powershell in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1059.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1059.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1059.003/snapattack/snapattack.log b/datasets/attack_techniques/T1059.003/snapattack/snapattack.log new file mode 100644 index 000000000..ad96cda4a --- /dev/null +++ b/datasets/attack_techniques/T1059.003/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd8797b5dbbbae51565039d5f9f9f50432a1c906adaedcaace0a29f2645fac9d +size 1549 diff --git a/datasets/attack_techniques/T1059.003/snapattack/snapattack.yml b/datasets/attack_techniques/T1059.003/snapattack/snapattack.yml new file mode 100644 index 000000000..a5731bfce --- /dev/null +++ b/datasets/attack_techniques/T1059.003/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: e5db1bc4-ae73-4cd2-8117-a0f10f2f3457 +date: '2026-04-01' +description: Generated datasets for Windows File Association Modification via Ftype + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1059.003 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1059.003/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1059.005/snapattack/snapattack.log b/datasets/attack_techniques/T1059.005/snapattack/snapattack.log new file mode 100644 index 000000000..176304b95 --- /dev/null +++ b/datasets/attack_techniques/T1059.005/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e48f1861f1aca9cb80f61b7c4ac6589d74f2026519f1e61104385360fed2620c +size 7866 diff --git a/datasets/attack_techniques/T1059.005/snapattack/snapattack.yml b/datasets/attack_techniques/T1059.005/snapattack/snapattack.yml new file mode 100644 index 000000000..01a41290d --- /dev/null +++ b/datasets/attack_techniques/T1059.005/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 5a3f7ee5-4eab-4a85-ac6b-de8ef1a290af +date: '2026-04-01' +description: Generated datasets for Windows mmc.exe loading vbscript.dll in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1059.005 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1059.005/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1059.006/snapattack/snapattack.log b/datasets/attack_techniques/T1059.006/snapattack/snapattack.log new file mode 100644 index 000000000..6e0b0f858 --- /dev/null +++ b/datasets/attack_techniques/T1059.006/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:719454c2f24d90f92c4e3717e8c6d4e13b1f9fa22a04091d8cacc7c3e9c6e6e3 +size 2666 diff --git a/datasets/attack_techniques/T1059.006/snapattack/snapattack.yml b/datasets/attack_techniques/T1059.006/snapattack/snapattack.yml new file mode 100644 index 000000000..a94520e03 --- /dev/null +++ b/datasets/attack_techniques/T1059.006/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 603a0756-a08b-41b0-b07d-2e14200b0496 +date: '2026-04-01' +description: Generated datasets for Windows Impacket DCOMExec Activity in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1059.006 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1059.006/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1059.007/snapattack/snapattack.log b/datasets/attack_techniques/T1059.007/snapattack/snapattack.log new file mode 100644 index 000000000..f7d45a61a --- /dev/null +++ b/datasets/attack_techniques/T1059.007/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dd71c1c02bcc19f10d177e6a0278a9491f5ad98e4489a2689c42cc60e669a49d +size 4400 diff --git a/datasets/attack_techniques/T1059.007/snapattack/snapattack.yml b/datasets/attack_techniques/T1059.007/snapattack/snapattack.yml new file mode 100644 index 000000000..b901c7311 --- /dev/null +++ b/datasets/attack_techniques/T1059.007/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 9f1a9b9f-2fec-46c9-8be9-048e49f002ca +date: '2026-04-01' +description: Generated datasets for Windows Exela Stealer Javascript Popup in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1059.007 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1059.007/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1059/snapattack/snapattack.log b/datasets/attack_techniques/T1059/snapattack/snapattack.log new file mode 100644 index 000000000..103f81d53 --- /dev/null +++ b/datasets/attack_techniques/T1059/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c5c5046bcd28be023dc8dfbe8004369927c390848554a15ff2dadf9b60a06934 +size 22457 diff --git a/datasets/attack_techniques/T1059/snapattack/snapattack.yml b/datasets/attack_techniques/T1059/snapattack/snapattack.yml new file mode 100644 index 000000000..ec512f5b5 --- /dev/null +++ b/datasets/attack_techniques/T1059/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 33eda4b7-6b26-4cec-806f-4ad8e2fcdd02 +date: '2026-04-01' +description: Generated datasets for Windows Crowdstrike RTR Process Execution in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1059 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1059/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1068/snapattack/snapattack.log b/datasets/attack_techniques/T1068/snapattack/snapattack.log new file mode 100644 index 000000000..3692ddab2 --- /dev/null +++ b/datasets/attack_techniques/T1068/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6e5d88b38674f0a480ded09775a1d205b6d65a4e0ef330c2c6ca1e398a2ca4f8 +size 22207 diff --git a/datasets/attack_techniques/T1068/snapattack/snapattack.yml b/datasets/attack_techniques/T1068/snapattack/snapattack.yml new file mode 100644 index 000000000..a523f2625 --- /dev/null +++ b/datasets/attack_techniques/T1068/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 430623fe-f2ec-42a1-9015-41077aa40f74 +date: '2026-04-01' +description: Generated datasets for Windows FileSystem Privilege Escalation Tools + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1068 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1068/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1069/snapattack/snapattack.log b/datasets/attack_techniques/T1069/snapattack/snapattack.log new file mode 100644 index 000000000..7ff79e4fa --- /dev/null +++ b/datasets/attack_techniques/T1069/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:341730af2fce1cb56b6b30770fa24950a95d0b5354bc5dd2f3f6b676c381365c +size 1464 diff --git a/datasets/attack_techniques/T1069/snapattack/snapattack.yml b/datasets/attack_techniques/T1069/snapattack/snapattack.yml new file mode 100644 index 000000000..699d0ef90 --- /dev/null +++ b/datasets/attack_techniques/T1069/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 825df80c-94ee-4fd4-9282-0cf0bba69181 +date: '2026-04-01' +description: Generated datasets for Windows Active Directory Command Line Tools in + attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1069 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1069/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1071.001/snapattack/snapattack.log b/datasets/attack_techniques/T1071.001/snapattack/snapattack.log new file mode 100644 index 000000000..f84782800 --- /dev/null +++ b/datasets/attack_techniques/T1071.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1299122c90896e99fcfda508142ed9b3266d43653334ed1375a1440272042a1f +size 4100 diff --git a/datasets/attack_techniques/T1071.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1071.001/snapattack/snapattack.yml new file mode 100644 index 000000000..79c865880 --- /dev/null +++ b/datasets/attack_techniques/T1071.001/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: e877093f-bf3d-4542-b1b4-8ec884ffc196 +date: '2026-04-01' +description: Generated datasets for Windows Command line contains an HTTP string in + attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1071.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1071.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1071.004/snapattack/snapattack.log b/datasets/attack_techniques/T1071.004/snapattack/snapattack.log new file mode 100644 index 000000000..406d1adbf --- /dev/null +++ b/datasets/attack_techniques/T1071.004/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c6d940f053f05e2d2fb68f56d5437eab8d195dfe44ea887c1e5c36096f68a95 +size 2462 diff --git a/datasets/attack_techniques/T1071.004/snapattack/snapattack.yml b/datasets/attack_techniques/T1071.004/snapattack/snapattack.yml new file mode 100644 index 000000000..578276164 --- /dev/null +++ b/datasets/attack_techniques/T1071.004/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: d29d7889-4677-4f08-84d2-f06668e144f7 +date: '2026-04-01' +description: Generated datasets for Windows Visual Basic Commandline Compiler DNSQuery + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1071.004 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1071.004/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1074/snapattack/snapattack.log b/datasets/attack_techniques/T1074/snapattack/snapattack.log new file mode 100644 index 000000000..def707dc5 --- /dev/null +++ b/datasets/attack_techniques/T1074/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4d96eaba84afad8475857a6c1dd7acdac5bf670367b21d5c4dc72bfe461cc917 +size 2336 diff --git a/datasets/attack_techniques/T1074/snapattack/snapattack.yml b/datasets/attack_techniques/T1074/snapattack/snapattack.yml new file mode 100644 index 000000000..0597ae8ee --- /dev/null +++ b/datasets/attack_techniques/T1074/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: fc6c4374-86e1-4e36-8675-302748dd7477 +date: '2026-04-01' +description: Generated datasets for Windows MPNotify Creating File in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1074 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1074/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1078.001/snapattack/snapattack.log b/datasets/attack_techniques/T1078.001/snapattack/snapattack.log new file mode 100644 index 000000000..90aabaa1d --- /dev/null +++ b/datasets/attack_techniques/T1078.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d09e849d849879e5a71c9be5bc3721bcbc7c975133757fad83dbfdbd0da18102 +size 1503 diff --git a/datasets/attack_techniques/T1078.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1078.001/snapattack/snapattack.yml new file mode 100644 index 000000000..b103510ea --- /dev/null +++ b/datasets/attack_techniques/T1078.001/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 8857e0c1-8fc6-4326-80ad-7b7bb74d09c5 +date: '2026-04-01' +description: Generated datasets for Windows Guest Account Activated in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1078.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1078.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1078.003/snapattack/snapattack.log b/datasets/attack_techniques/T1078.003/snapattack/snapattack.log new file mode 100644 index 000000000..767bbf554 --- /dev/null +++ b/datasets/attack_techniques/T1078.003/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:efa0a04ec7e2a889e7d29b5ae7a9f2220bbc7b938f22762c7db8e376d3d41b2f +size 3106 diff --git a/datasets/attack_techniques/T1078.003/snapattack/snapattack.yml b/datasets/attack_techniques/T1078.003/snapattack/snapattack.yml new file mode 100644 index 000000000..8a08be3a8 --- /dev/null +++ b/datasets/attack_techniques/T1078.003/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 4dc4a0fc-aa2b-4647-99a9-0bbcc3ddede5 +date: '2026-04-01' +description: Generated datasets for Windows Possible LAPS Access in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1078.003 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1078.003/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1078/snapattack/snapattack.log b/datasets/attack_techniques/T1078/snapattack/snapattack.log new file mode 100644 index 000000000..1f1c6f2f0 --- /dev/null +++ b/datasets/attack_techniques/T1078/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cbbaf93cd5d51dd41b924b8b566743b4516e52e7b724b11e6adac539b20dc69a +size 10270 diff --git a/datasets/attack_techniques/T1078/snapattack/snapattack.yml b/datasets/attack_techniques/T1078/snapattack/snapattack.yml new file mode 100644 index 000000000..ab45aba06 --- /dev/null +++ b/datasets/attack_techniques/T1078/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 729e8602-60aa-4b91-be56-aa6812e106bc +date: '2026-04-01' +description: Generated datasets for Windows Azure Powershell Modules Installed in + attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1078 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1078/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1082/snapattack/snapattack.log b/datasets/attack_techniques/T1082/snapattack/snapattack.log new file mode 100644 index 000000000..7815755a4 --- /dev/null +++ b/datasets/attack_techniques/T1082/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:07ba36c6147ddae836af00e3f982b332863eeca27ab39584c5292a5a4ae85372 +size 2146 diff --git a/datasets/attack_techniques/T1082/snapattack/snapattack.yml b/datasets/attack_techniques/T1082/snapattack/snapattack.yml new file mode 100644 index 000000000..3bdc89381 --- /dev/null +++ b/datasets/attack_techniques/T1082/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 678e0d41-1fb6-40e4-8556-fc5168784634 +date: '2026-04-01' +description: Generated datasets for Windows PrivescCheck Powershell Functions in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1082 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1082/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1087.002/snapattack/snapattack.log b/datasets/attack_techniques/T1087.002/snapattack/snapattack.log new file mode 100644 index 000000000..46810aec3 --- /dev/null +++ b/datasets/attack_techniques/T1087.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:936a76340cb8c20c8c7fba7ae041117075a9e53f5f7925b5faf8b628ff5e2561 +size 2904 diff --git a/datasets/attack_techniques/T1087.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1087.002/snapattack/snapattack.yml new file mode 100644 index 000000000..bc517826f --- /dev/null +++ b/datasets/attack_techniques/T1087.002/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 839ae0f7-7316-400e-8dcd-faf873544af5 +date: '2026-04-01' +description: Generated datasets for Windows Attempt to access Groups.xml in SYSVOL + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1087.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1087.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1090/snapattack/snapattack.log b/datasets/attack_techniques/T1090/snapattack/snapattack.log new file mode 100644 index 000000000..e649752c6 --- /dev/null +++ b/datasets/attack_techniques/T1090/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:de5bd01e547dbb879611187fe8a5eee43cd8663af8c26586675deca7a16f5d7c +size 10354 diff --git a/datasets/attack_techniques/T1090/snapattack/snapattack.yml b/datasets/attack_techniques/T1090/snapattack/snapattack.yml new file mode 100644 index 000000000..cbaa2334a --- /dev/null +++ b/datasets/attack_techniques/T1090/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 26daac40-7593-4ebc-981b-e8a1a13f5876 +date: '2026-04-01' +description: Generated datasets for Windows Devtunnels Commands in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1090 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1090/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1112/snapattack/snapattack.log b/datasets/attack_techniques/T1112/snapattack/snapattack.log new file mode 100644 index 000000000..5e92359f7 --- /dev/null +++ b/datasets/attack_techniques/T1112/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bb559d2673d9ab1af7527c68105853305c35acf6bb4b23996a8fde71e07c51c3 +size 24894 diff --git a/datasets/attack_techniques/T1112/snapattack/snapattack.yml b/datasets/attack_techniques/T1112/snapattack/snapattack.yml new file mode 100644 index 000000000..f23a435e9 --- /dev/null +++ b/datasets/attack_techniques/T1112/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 764ab654-e554-4139-9e9f-630da812ae1f +date: '2026-04-01' +description: Generated datasets for Windows AuKill Indicators - Registry in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1112 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1112/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1119/snapattack/snapattack.log b/datasets/attack_techniques/T1119/snapattack/snapattack.log new file mode 100644 index 000000000..bc229a65c --- /dev/null +++ b/datasets/attack_techniques/T1119/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5dd1f893153f05b3a491d8db69f8e542f81bcd8384f93dc54db0295413799b3d +size 6380 diff --git a/datasets/attack_techniques/T1119/snapattack/snapattack.yml b/datasets/attack_techniques/T1119/snapattack/snapattack.yml new file mode 100644 index 000000000..83834b7d1 --- /dev/null +++ b/datasets/attack_techniques/T1119/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: a1ce25ca-ccff-4320-ad9a-dfaf58106899 +date: '2026-04-01' +description: Generated datasets for Windows Process Accessing Windows Recall Directory + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1119 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1119/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1128/snapattack/snapattack.log b/datasets/attack_techniques/T1128/snapattack/snapattack.log new file mode 100644 index 000000000..f4e170d0a --- /dev/null +++ b/datasets/attack_techniques/T1128/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c2af896a78713d30ce0e299ab39520d16c458569623d047084391a63679bfbcd +size 1247 diff --git a/datasets/attack_techniques/T1128/snapattack/snapattack.yml b/datasets/attack_techniques/T1128/snapattack/snapattack.yml new file mode 100644 index 000000000..b4e5936ab --- /dev/null +++ b/datasets/attack_techniques/T1128/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: df6e0f1e-1da6-4891-b022-2cd1b0a779ed +date: '2026-04-01' +description: Generated datasets for Windows Netsh DLL Persistence in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1128 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1128/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1129/snapattack/snapattack.log b/datasets/attack_techniques/T1129/snapattack/snapattack.log new file mode 100644 index 000000000..a9107fcc5 --- /dev/null +++ b/datasets/attack_techniques/T1129/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:abcf0d376ee940e834ded59e235208e54271325bcdacc8df16e96bd5dc8420b0 +size 9674 diff --git a/datasets/attack_techniques/T1129/snapattack/snapattack.yml b/datasets/attack_techniques/T1129/snapattack/snapattack.yml new file mode 100644 index 000000000..324ebead8 --- /dev/null +++ b/datasets/attack_techniques/T1129/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 44730813-eabb-4cbc-868d-3ad436d50046 +date: '2026-04-01' +description: Generated datasets for Windows DLL Created in System32 in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1129 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1129/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1133/snapattack/snapattack.log b/datasets/attack_techniques/T1133/snapattack/snapattack.log new file mode 100644 index 000000000..43650119e --- /dev/null +++ b/datasets/attack_techniques/T1133/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6e6a3dd6a3a87aaee972a57e65a42275e289e74662e98cf7413a216f4127f577 +size 3082 diff --git a/datasets/attack_techniques/T1133/snapattack/snapattack.yml b/datasets/attack_techniques/T1133/snapattack/snapattack.yml new file mode 100644 index 000000000..ce2c7873d --- /dev/null +++ b/datasets/attack_techniques/T1133/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 3407d901-5e03-48de-a35f-869570399600 +date: '2026-04-01' +description: Generated datasets for Windows Potentially Unwanted Program - Remote + Admin Tools in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1133 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1133/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1136.002/snapattack/snapattack.log b/datasets/attack_techniques/T1136.002/snapattack/snapattack.log new file mode 100644 index 000000000..023d99e1f --- /dev/null +++ b/datasets/attack_techniques/T1136.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:064ad9209748cefbce1aad4f647b5ba83cb8eccce32b23e75857eda96e356a74 +size 4008 diff --git a/datasets/attack_techniques/T1136.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1136.002/snapattack/snapattack.yml new file mode 100644 index 000000000..32f2e6949 --- /dev/null +++ b/datasets/attack_techniques/T1136.002/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 53e422d7-93de-4586-9a5a-378c9d644d31 +date: '2026-04-01' +description: Generated datasets for Windows Computer AD account escalated to a domain + controller in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1136.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1136.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1136/snapattack/snapattack.log b/datasets/attack_techniques/T1136/snapattack/snapattack.log new file mode 100644 index 000000000..b6e1a6e98 --- /dev/null +++ b/datasets/attack_techniques/T1136/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bb5dab1e94415268808844c5049ce831ddbb0af17e402155ca7b86f16ef68087 +size 1750 diff --git a/datasets/attack_techniques/T1136/snapattack/snapattack.yml b/datasets/attack_techniques/T1136/snapattack/snapattack.yml new file mode 100644 index 000000000..4663e8c48 --- /dev/null +++ b/datasets/attack_techniques/T1136/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: cd08fc7d-2263-487f-8e55-fa1159f99601 +date: '2026-04-01' +description: Generated datasets for Windows Azure User Activity via CLI in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1136 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1136/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1137.006/snapattack/snapattack.log b/datasets/attack_techniques/T1137.006/snapattack/snapattack.log new file mode 100644 index 000000000..ee9413ab2 --- /dev/null +++ b/datasets/attack_techniques/T1137.006/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:819146abc330354c0c93a9ee18337b4e7e9e608c0ce15b4979eb2029ca652722 +size 6813 diff --git a/datasets/attack_techniques/T1137.006/snapattack/snapattack.yml b/datasets/attack_techniques/T1137.006/snapattack/snapattack.yml new file mode 100644 index 000000000..d135616f4 --- /dev/null +++ b/datasets/attack_techniques/T1137.006/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 5c795d84-31f5-48eb-ad75-021061efe92f +date: '2026-04-01' +description: Generated datasets for Windows Office VSTO Add-in DLL in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1137.006 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1137.006/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1140/snapattack/snapattack.log b/datasets/attack_techniques/T1140/snapattack/snapattack.log new file mode 100644 index 000000000..a833cfa69 --- /dev/null +++ b/datasets/attack_techniques/T1140/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:36586c934f66bcc0811e9351dbf1517e05196cb68e6059c31055e1df5d4b95f5 +size 2345 diff --git a/datasets/attack_techniques/T1140/snapattack/snapattack.yml b/datasets/attack_techniques/T1140/snapattack/snapattack.yml new file mode 100644 index 000000000..916f6cd57 --- /dev/null +++ b/datasets/attack_techniques/T1140/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 803eb10c-7d1f-48e7-82c9-82a079c3812e +date: '2026-04-01' +description: Generated datasets for Windows Armageddon/Shuckworm VBScript dropping + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1140 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1140/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1187/snapattack/snapattack.log b/datasets/attack_techniques/T1187/snapattack/snapattack.log new file mode 100644 index 000000000..030610a7d --- /dev/null +++ b/datasets/attack_techniques/T1187/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a357cd25891d29b30c439bba4486216a34c17a9ccc55d017c4f9682a9db94146 +size 8636 diff --git a/datasets/attack_techniques/T1187/snapattack/snapattack.yml b/datasets/attack_techniques/T1187/snapattack/snapattack.yml new file mode 100644 index 000000000..1f8ff0111 --- /dev/null +++ b/datasets/attack_techniques/T1187/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 4153361b-39d9-49d6-abb7-11ca1b4f245f +date: '2026-04-01' +description: Generated datasets for Windows Possible DFSCoerce Attack in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1187 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1187/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1190/snapattack/snapattack.log b/datasets/attack_techniques/T1190/snapattack/snapattack.log new file mode 100644 index 000000000..abcaac0dd --- /dev/null +++ b/datasets/attack_techniques/T1190/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73f63a6768163a114ba748cd42f909d0efa56a663a408b2e0889c21cc3319774 +size 42369 diff --git a/datasets/attack_techniques/T1190/snapattack/snapattack.yml b/datasets/attack_techniques/T1190/snapattack/snapattack.yml new file mode 100644 index 000000000..03e4b6067 --- /dev/null +++ b/datasets/attack_techniques/T1190/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 1df9301c-3673-4c78-864e-e05b67e68748 +date: '2026-04-01' +description: Generated datasets for Windows Apache ActiveMQ Exploitation in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1190 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1190/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1203/snapattack/snapattack.log b/datasets/attack_techniques/T1203/snapattack/snapattack.log new file mode 100644 index 000000000..528590b0e --- /dev/null +++ b/datasets/attack_techniques/T1203/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3144800896364e0273ef83c966d268d97b12c3633bca5b885cbbd22de1c60326 +size 7620 diff --git a/datasets/attack_techniques/T1203/snapattack/snapattack.yml b/datasets/attack_techniques/T1203/snapattack/snapattack.yml new file mode 100644 index 000000000..4dc74227b --- /dev/null +++ b/datasets/attack_techniques/T1203/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 136ffbec-3ac9-47b1-9f42-ebb6a14e158a +date: '2026-04-01' +description: Generated datasets for Windows Suspicious Git Config Commands in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1203 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1203/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1204.002/snapattack/snapattack.log b/datasets/attack_techniques/T1204.002/snapattack/snapattack.log new file mode 100644 index 000000000..54f1d4ee2 --- /dev/null +++ b/datasets/attack_techniques/T1204.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4c3c019d1228076c5e06f32fd92845d2086d6449b6d62da9bdf009e6d79ed0db +size 22364 diff --git a/datasets/attack_techniques/T1204.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1204.002/snapattack/snapattack.yml new file mode 100644 index 000000000..20a6b50cd --- /dev/null +++ b/datasets/attack_techniques/T1204.002/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 0ca9d89a-0934-45b9-b25b-4e031205f90f +date: '2026-04-01' +description: Generated datasets for Windows Binary Executed within 7zip in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1204.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1204.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1204/snapattack/snapattack.log b/datasets/attack_techniques/T1204/snapattack/snapattack.log new file mode 100644 index 000000000..d1ee5589c --- /dev/null +++ b/datasets/attack_techniques/T1204/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca53baeefa9bedbf50d489aac0e8111fd1938caa5ffca7d6818f2a2695bcfd30 +size 4266 diff --git a/datasets/attack_techniques/T1204/snapattack/snapattack.yml b/datasets/attack_techniques/T1204/snapattack/snapattack.yml new file mode 100644 index 000000000..6c9910409 --- /dev/null +++ b/datasets/attack_techniques/T1204/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 6dcd4e80-082a-4f8d-a4f8-1483d52e4c04 +date: '2026-04-01' +description: Generated datasets for Windows Strange Process spawned by sdiagnhost + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1204 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1204/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1207/snapattack/snapattack.log b/datasets/attack_techniques/T1207/snapattack/snapattack.log new file mode 100644 index 000000000..2b80c2617 --- /dev/null +++ b/datasets/attack_techniques/T1207/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:be212c717578e69ea4a1c1b9618b21056527be8e82a26554d5c297bae15a0f0a +size 2990 diff --git a/datasets/attack_techniques/T1207/snapattack/snapattack.yml b/datasets/attack_techniques/T1207/snapattack/snapattack.yml new file mode 100644 index 000000000..acc23c0d9 --- /dev/null +++ b/datasets/attack_techniques/T1207/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 0f2ead61-a5ea-42ec-a5e2-4291f7c9d1dc +date: '2026-04-01' +description: Generated datasets for Windows Operation performed with DS-Install-Replica + privilege in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1207 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1207/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1210/snapattack/snapattack.log b/datasets/attack_techniques/T1210/snapattack/snapattack.log new file mode 100644 index 000000000..bcd105078 --- /dev/null +++ b/datasets/attack_techniques/T1210/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:823797bb3b7f32b7cb785a0a598c72500ac5f0ce6540f53f3da0994587666bd0 +size 2258 diff --git a/datasets/attack_techniques/T1210/snapattack/snapattack.yml b/datasets/attack_techniques/T1210/snapattack/snapattack.yml new file mode 100644 index 000000000..a3fe056f7 --- /dev/null +++ b/datasets/attack_techniques/T1210/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 9dcaa6c2-4017-431f-8ccd-535408ed7428 +date: '2026-04-01' +description: Generated datasets for Windows Suspicious child processes of Atlassian + Confluence in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1210 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1210/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1217/snapattack/snapattack.log b/datasets/attack_techniques/T1217/snapattack/snapattack.log new file mode 100644 index 000000000..b8ffda12d --- /dev/null +++ b/datasets/attack_techniques/T1217/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f6346122e2054f21b252e88ba2a0e750b593907c90f6c96a33653ab2c5147001 +size 1565 diff --git a/datasets/attack_techniques/T1217/snapattack/snapattack.yml b/datasets/attack_techniques/T1217/snapattack/snapattack.yml new file mode 100644 index 000000000..129759a8e --- /dev/null +++ b/datasets/attack_techniques/T1217/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: d3e3aea9-f4ff-474b-9c8d-e31c3de30faf +date: '2026-04-01' +description: Generated datasets for Windows Chrome Bookmarks Activity in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1217 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1217/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1218.007/snapattack/snapattack.log b/datasets/attack_techniques/T1218.007/snapattack/snapattack.log new file mode 100644 index 000000000..c08934cac --- /dev/null +++ b/datasets/attack_techniques/T1218.007/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3878232d113c0a37200f84bfb4b7d533795e0236238065f120cacfd882397be7 +size 4390 diff --git a/datasets/attack_techniques/T1218.007/snapattack/snapattack.yml b/datasets/attack_techniques/T1218.007/snapattack/snapattack.yml new file mode 100644 index 000000000..0acaebc32 --- /dev/null +++ b/datasets/attack_techniques/T1218.007/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 73e1c5cd-f682-4a31-bd15-552cfbd991ad +date: '2026-04-01' +description: Generated datasets for Windows Possible FileSystem Privilege Escalation + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1218.007 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1218.007/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1218.010/snapattack/snapattack.log b/datasets/attack_techniques/T1218.010/snapattack/snapattack.log new file mode 100644 index 000000000..0b6907f74 --- /dev/null +++ b/datasets/attack_techniques/T1218.010/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:96636071f13524e7384bb4a021b478801eb5456942cfc8fbeaa63529ef9bbfc8 +size 1599 diff --git a/datasets/attack_techniques/T1218.010/snapattack/snapattack.yml b/datasets/attack_techniques/T1218.010/snapattack/snapattack.yml new file mode 100644 index 000000000..a1e631dae --- /dev/null +++ b/datasets/attack_techniques/T1218.010/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 1499a5ff-0e8b-4b68-b451-8042ccd54f50 +date: '2026-04-01' +description: Generated datasets for Windows IOBit Unlocker Extension DLL in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1218.010 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1218.010/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1218.011/snapattack/snapattack.log b/datasets/attack_techniques/T1218.011/snapattack/snapattack.log new file mode 100644 index 000000000..73065338a --- /dev/null +++ b/datasets/attack_techniques/T1218.011/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b863e5f3e63c90061ad8c74d4a6c009cc203bf227b70711a00d634484f4ad5df +size 9450 diff --git a/datasets/attack_techniques/T1218.011/snapattack/snapattack.yml b/datasets/attack_techniques/T1218.011/snapattack/snapattack.yml new file mode 100644 index 000000000..207696262 --- /dev/null +++ b/datasets/attack_techniques/T1218.011/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: cbe0ab39-1b82-4076-ab2a-80c9cd287459 +date: '2026-04-01' +description: Generated datasets for Windows Bypass syssetup SetupInfObjectInstallAction + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1218.011 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1218.011/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1218.014/snapattack/snapattack.log b/datasets/attack_techniques/T1218.014/snapattack/snapattack.log new file mode 100644 index 000000000..59f52790c --- /dev/null +++ b/datasets/attack_techniques/T1218.014/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c6273e31873690f22ad14637802b088d3b0a5d91aa68ae0067f692cd65a9a20b +size 3623 diff --git a/datasets/attack_techniques/T1218.014/snapattack/snapattack.yml b/datasets/attack_techniques/T1218.014/snapattack/snapattack.yml new file mode 100644 index 000000000..2116d824b --- /dev/null +++ b/datasets/attack_techniques/T1218.014/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 95eb7814-4ba9-4d47-a139-c6383ba1b794 +date: '2026-04-01' +description: Generated datasets for Windows GrimResource APDS XSS Redirection in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1218.014 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1218.014/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1218/snapattack/snapattack.log b/datasets/attack_techniques/T1218/snapattack/snapattack.log new file mode 100644 index 000000000..50269a083 --- /dev/null +++ b/datasets/attack_techniques/T1218/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c4063ec2dc1416fbfeac7b143bf5d9a9690fa3c719f7dbbb1cd892915cb3317c +size 2962 diff --git a/datasets/attack_techniques/T1218/snapattack/snapattack.yml b/datasets/attack_techniques/T1218/snapattack/snapattack.yml new file mode 100644 index 000000000..91be58680 --- /dev/null +++ b/datasets/attack_techniques/T1218/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 1921312e-9f31-49a7-ac93-e5be2711ce9a +date: '2026-04-01' +description: Generated datasets for Windows Possible CVE-2023-36025 Exploitation in + attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1218 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1218/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1219/snapattack/snapattack.log b/datasets/attack_techniques/T1219/snapattack/snapattack.log new file mode 100644 index 000000000..a009e5947 --- /dev/null +++ b/datasets/attack_techniques/T1219/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:00589b8fd967ff002439587e093a344551a1ef42eb3a089e6d46041590b9269c +size 20687 diff --git a/datasets/attack_techniques/T1219/snapattack/snapattack.yml b/datasets/attack_techniques/T1219/snapattack/snapattack.yml new file mode 100644 index 000000000..aefcb8fc3 --- /dev/null +++ b/datasets/attack_techniques/T1219/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 2633c157-cfa0-410b-9c3c-a74c9eb1ec8a +date: '2026-04-01' +description: Generated datasets for Windows Level Powershell Installer in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1219 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1219/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1222/snapattack/snapattack.log b/datasets/attack_techniques/T1222/snapattack/snapattack.log new file mode 100644 index 000000000..ad3d87059 --- /dev/null +++ b/datasets/attack_techniques/T1222/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d83fe55965e070f5900957f22d74faf1eab416ae3583e5bf639996d415284948 +size 1718 diff --git a/datasets/attack_techniques/T1222/snapattack/snapattack.yml b/datasets/attack_techniques/T1222/snapattack/snapattack.yml new file mode 100644 index 000000000..d93b656da --- /dev/null +++ b/datasets/attack_techniques/T1222/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: d9741377-7584-4915-ab6d-bfa1d721a194 +date: '2026-04-01' +description: Generated datasets for Windows Symbolic Link Tools in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1222 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1222/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1482/snapattack/snapattack.log b/datasets/attack_techniques/T1482/snapattack/snapattack.log new file mode 100644 index 000000000..f9011b18c --- /dev/null +++ b/datasets/attack_techniques/T1482/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9f55b6b1e1e23a58e5e5277015acf7985935f99222e164e89141ebda46d5494b +size 4624 diff --git a/datasets/attack_techniques/T1482/snapattack/snapattack.yml b/datasets/attack_techniques/T1482/snapattack/snapattack.yml new file mode 100644 index 000000000..6b735d75a --- /dev/null +++ b/datasets/attack_techniques/T1482/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: e4b24dd7-043c-4a21-930c-101444ab5417 +date: '2026-04-01' +description: Generated datasets for Windows Azure Domain Federated via Powershell + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1482 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1482/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1484.001/snapattack/snapattack.log b/datasets/attack_techniques/T1484.001/snapattack/snapattack.log new file mode 100644 index 000000000..f1824a52a --- /dev/null +++ b/datasets/attack_techniques/T1484.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72d769821e23ef30f02e389e04854b15c73a99baf39f9adeca2647762ac32dfc +size 11949 diff --git a/datasets/attack_techniques/T1484.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1484.001/snapattack/snapattack.yml new file mode 100644 index 000000000..2df1c9ff7 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 25ad88e6-d332-4a62-a584-a3eb3a531881 +date: '2026-04-01' +description: Generated datasets for Windows Attempt to access GptTmpl.inf in SYSVOL + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1484.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1484.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1485/snapattack/snapattack.log b/datasets/attack_techniques/T1485/snapattack/snapattack.log new file mode 100644 index 000000000..90a1539da --- /dev/null +++ b/datasets/attack_techniques/T1485/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:12a9b732c60cd1ee8b9e18e2b8e8508b296b62836e3889d283b2a790785b0f84 +size 1586 diff --git a/datasets/attack_techniques/T1485/snapattack/snapattack.yml b/datasets/attack_techniques/T1485/snapattack/snapattack.yml new file mode 100644 index 000000000..c1f8ca615 --- /dev/null +++ b/datasets/attack_techniques/T1485/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 1e744155-d897-4aec-aa75-69a11f7b39ac +date: '2026-04-01' +description: Generated datasets for Windows Hivelocker Cleanup Script in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1485 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1485/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1490/snapattack/snapattack.log b/datasets/attack_techniques/T1490/snapattack/snapattack.log new file mode 100644 index 000000000..d5690474d --- /dev/null +++ b/datasets/attack_techniques/T1490/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b666914465faff8bc426c25a1547514e97eabb8af2f3a5c42b95007096e46121 +size 1304 diff --git a/datasets/attack_techniques/T1490/snapattack/snapattack.yml b/datasets/attack_techniques/T1490/snapattack/snapattack.yml new file mode 100644 index 000000000..b6c7c136a --- /dev/null +++ b/datasets/attack_techniques/T1490/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: e5299a70-0166-4f6c-872e-b56321ec3638 +date: '2026-04-01' +description: Generated datasets for Windows Modification of Recycle Bin related registry + keys in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1490 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1490/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1491.001/snapattack/snapattack.log b/datasets/attack_techniques/T1491.001/snapattack/snapattack.log new file mode 100644 index 000000000..46b7d2195 --- /dev/null +++ b/datasets/attack_techniques/T1491.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f98d18661c50a7634b22d5c7ceaab51f4988c6033dd66f0847076c758fef6218 +size 1996 diff --git a/datasets/attack_techniques/T1491.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1491.001/snapattack/snapattack.yml new file mode 100644 index 000000000..883baeeb6 --- /dev/null +++ b/datasets/attack_techniques/T1491.001/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 14dd611a-9b0e-4342-a719-d989570345b9 +date: '2026-04-01' +description: Generated datasets for Windows PowerShell Post Exploitation Common Keywords + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1491.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1491.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1497/snapattack/snapattack.log b/datasets/attack_techniques/T1497/snapattack/snapattack.log new file mode 100644 index 000000000..100e3517a --- /dev/null +++ b/datasets/attack_techniques/T1497/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aa3058774c7cea711bf2de8a0f4f373a88db9e647b273dd7fcf86c656b88e2b3 +size 2161 diff --git a/datasets/attack_techniques/T1497/snapattack/snapattack.yml b/datasets/attack_techniques/T1497/snapattack/snapattack.yml new file mode 100644 index 000000000..e780c0f53 --- /dev/null +++ b/datasets/attack_techniques/T1497/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 9c6eda62-3734-4d18-90a6-fa8e35facc8c +date: '2026-04-01' +description: Generated datasets for Windows Chromium Browser with Custom User Data + Directory in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1497 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1497/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1505.003/snapattack/snapattack.log b/datasets/attack_techniques/T1505.003/snapattack/snapattack.log new file mode 100644 index 000000000..9e9bbd286 --- /dev/null +++ b/datasets/attack_techniques/T1505.003/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:072e7d22dffeeea74ab667698b737596b934d93d01bde8a815b2a914c1323812 +size 14991 diff --git a/datasets/attack_techniques/T1505.003/snapattack/snapattack.yml b/datasets/attack_techniques/T1505.003/snapattack/snapattack.yml new file mode 100644 index 000000000..08fff27f8 --- /dev/null +++ b/datasets/attack_techniques/T1505.003/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 23dfbeb0-6318-4355-96d8-e198fe3f2ff2 +date: '2026-04-01' +description: Generated datasets for Windows Possible MOVEit Webshell - CVE-2023-34362 + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1505.003 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1505.003/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1505/snapattack/snapattack.log b/datasets/attack_techniques/T1505/snapattack/snapattack.log new file mode 100644 index 000000000..dbacd8dd7 --- /dev/null +++ b/datasets/attack_techniques/T1505/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:17a72049c832a85cb4cb3d7f5e9124cf343a394cf9d637ea67ff4529d888368d +size 4214 diff --git a/datasets/attack_techniques/T1505/snapattack/snapattack.yml b/datasets/attack_techniques/T1505/snapattack/snapattack.yml new file mode 100644 index 000000000..bc9cb5171 --- /dev/null +++ b/datasets/attack_techniques/T1505/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 43d600c2-c62e-4598-a41a-2dc7b1e86d96 +date: '2026-04-01' +description: Generated datasets for Windows Terminal Spawned via Special Administration + Console in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1505 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1505/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1518/snapattack/snapattack.log b/datasets/attack_techniques/T1518/snapattack/snapattack.log new file mode 100644 index 000000000..d42ae0240 --- /dev/null +++ b/datasets/attack_techniques/T1518/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1dad51454c7e85c977b7757acdbfc60a9aa569b083b45537cbe72e731c8b8c6d +size 2424 diff --git a/datasets/attack_techniques/T1518/snapattack/snapattack.yml b/datasets/attack_techniques/T1518/snapattack/snapattack.yml new file mode 100644 index 000000000..9cab0e101 --- /dev/null +++ b/datasets/attack_techniques/T1518/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 7a3a94cc-a1fd-4b07-8eb8-cfc28d7ce5be +date: '2026-04-01' +description: Generated datasets for Windows Software Discovery via Powershell in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1518 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1518/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1526/snapattack/snapattack.log b/datasets/attack_techniques/T1526/snapattack/snapattack.log new file mode 100644 index 000000000..526cdcdfa --- /dev/null +++ b/datasets/attack_techniques/T1526/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:08bd73039ecab8b93ad60d561ca4305eb2c37eff6e251be8ee44ab885b514c2e +size 4156 diff --git a/datasets/attack_techniques/T1526/snapattack/snapattack.yml b/datasets/attack_techniques/T1526/snapattack/snapattack.yml new file mode 100644 index 000000000..1947670d2 --- /dev/null +++ b/datasets/attack_techniques/T1526/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 3b59510d-cca2-4076-9310-934dbd9ee165 +date: '2026-04-01' +description: Generated datasets for Windows Seatbelt Tool Execution in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1526 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1526/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1542.001/snapattack/snapattack.log b/datasets/attack_techniques/T1542.001/snapattack/snapattack.log new file mode 100644 index 000000000..869169e0a --- /dev/null +++ b/datasets/attack_techniques/T1542.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a000f9fe183c1543c737fbeb716abf940b4f6ed80cae99912d9aba904fb12740 +size 4150 diff --git a/datasets/attack_techniques/T1542.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1542.001/snapattack/snapattack.yml new file mode 100644 index 000000000..08b337c5d --- /dev/null +++ b/datasets/attack_techniques/T1542.001/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 17757060-bbf1-41ba-ac80-607e76af0dde +date: '2026-04-01' +description: Generated datasets for Windows Possible Bootkit Manipulation in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1542.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1542.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1542.003/snapattack/snapattack.log b/datasets/attack_techniques/T1542.003/snapattack/snapattack.log new file mode 100644 index 000000000..5d3dd4a15 --- /dev/null +++ b/datasets/attack_techniques/T1542.003/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a3297fff4b36030ab2ed4e500473b785c4f3032bdecb351eaaefa44a06c6091c +size 1255 diff --git a/datasets/attack_techniques/T1542.003/snapattack/snapattack.yml b/datasets/attack_techniques/T1542.003/snapattack/snapattack.yml new file mode 100644 index 000000000..32f81b0c3 --- /dev/null +++ b/datasets/attack_techniques/T1542.003/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 62d7ada0-8b3c-4ef3-8d3a-da67b60fe832 +date: '2026-04-01' +description: Generated datasets for Windows Possible Bootloader Modification in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1542.003 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1542.003/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1543.003/snapattack/snapattack.log b/datasets/attack_techniques/T1543.003/snapattack/snapattack.log new file mode 100644 index 000000000..d9fce61a6 --- /dev/null +++ b/datasets/attack_techniques/T1543.003/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:481008b95fe0f46a54feacde59504d0830e92be68654ce9ef01c3f9850e5a391 +size 9977 diff --git a/datasets/attack_techniques/T1543.003/snapattack/snapattack.yml b/datasets/attack_techniques/T1543.003/snapattack/snapattack.yml new file mode 100644 index 000000000..fe36f8ea7 --- /dev/null +++ b/datasets/attack_techniques/T1543.003/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 33739096-0646-4694-a724-91c751b14590 +date: '2026-04-01' +description: Generated datasets for Windows RMM Tool Installation in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1543.003 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1543.003/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1546.008/snapattack/snapattack.log b/datasets/attack_techniques/T1546.008/snapattack/snapattack.log new file mode 100644 index 000000000..301c9fe40 --- /dev/null +++ b/datasets/attack_techniques/T1546.008/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:78eea36e02efb6078096556c0f71ed1a9831fd7b634aa88756b13b4721f62bf9 +size 1614 diff --git a/datasets/attack_techniques/T1546.008/snapattack/snapattack.yml b/datasets/attack_techniques/T1546.008/snapattack/snapattack.yml new file mode 100644 index 000000000..482755204 --- /dev/null +++ b/datasets/attack_techniques/T1546.008/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: e7f4e67c-c67b-47b8-91cc-535267f81ef3 +date: '2026-04-01' +description: Generated datasets for Windows Accessibility Features Modification in + attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1546.008 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1546.008/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1546.009/snapattack/snapattack.log b/datasets/attack_techniques/T1546.009/snapattack/snapattack.log new file mode 100644 index 000000000..7432a4525 --- /dev/null +++ b/datasets/attack_techniques/T1546.009/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a5cfe8c2618abafadda4f9cf4969d9a42d716eaa0b6cbb05e475fe5d0298d706 +size 1584 diff --git a/datasets/attack_techniques/T1546.009/snapattack/snapattack.yml b/datasets/attack_techniques/T1546.009/snapattack/snapattack.yml new file mode 100644 index 000000000..059fc0baa --- /dev/null +++ b/datasets/attack_techniques/T1546.009/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 0516d3d2-50c0-40d7-b32b-2f6fe71ffa3e +date: '2026-04-01' +description: Generated datasets for Windows AppCertDLL Modification in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1546.009 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1546.009/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1547.001/snapattack/snapattack.log b/datasets/attack_techniques/T1547.001/snapattack/snapattack.log new file mode 100644 index 000000000..7da3ed2a7 --- /dev/null +++ b/datasets/attack_techniques/T1547.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1ca1e343e12e99abb1381e180cc0b191dc53ef37786973b2fa4b65bcb893fa84 +size 1384 diff --git a/datasets/attack_techniques/T1547.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1547.001/snapattack/snapattack.yml new file mode 100644 index 000000000..457a9f8cb --- /dev/null +++ b/datasets/attack_techniques/T1547.001/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 6289ce0a-026f-43cf-b859-f1b5790eb6dd +date: '2026-04-01' +description: Generated datasets for Windows POWERSTATS Registry Persistence in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1547.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1547.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1547.009/snapattack/snapattack.log b/datasets/attack_techniques/T1547.009/snapattack/snapattack.log new file mode 100644 index 000000000..0d952cd1a --- /dev/null +++ b/datasets/attack_techniques/T1547.009/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:258c0eb5e2c8b48d955532470f489a7bc5678c78dfc293d5226ed9b73a09be37 +size 2456 diff --git a/datasets/attack_techniques/T1547.009/snapattack/snapattack.yml b/datasets/attack_techniques/T1547.009/snapattack/snapattack.yml new file mode 100644 index 000000000..a131bd6ac --- /dev/null +++ b/datasets/attack_techniques/T1547.009/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: d3092c67-e7be-4a45-b80b-74aa35f4d1b0 +date: '2026-04-01' +description: Generated datasets for Windows Office Creating or Modifying Desktop Shortcut + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1547.009 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1547.009/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1547.012/snapattack/snapattack.log b/datasets/attack_techniques/T1547.012/snapattack/snapattack.log new file mode 100644 index 000000000..72af2d376 --- /dev/null +++ b/datasets/attack_techniques/T1547.012/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d7d5a9462b5f5e880ddab89a33f2626cdf0b63c3a63e1d298a3edbc93b28647f +size 2032 diff --git a/datasets/attack_techniques/T1547.012/snapattack/snapattack.yml b/datasets/attack_techniques/T1547.012/snapattack/snapattack.yml new file mode 100644 index 000000000..a2b840398 --- /dev/null +++ b/datasets/attack_techniques/T1547.012/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 84f5095f-afed-4f75-affd-6ef3f3b22110 +date: '2026-04-01' +description: Generated datasets for Windows Spoolsv Writing a DLL in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1547.012 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1547.012/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1552/snapattack/snapattack.log b/datasets/attack_techniques/T1552/snapattack/snapattack.log new file mode 100644 index 000000000..eb918e3d8 --- /dev/null +++ b/datasets/attack_techniques/T1552/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dda4baa4adfe9aa7c36a5128462b63028eab85ec4ed014b37ad7f39ce72a0c46 +size 3809 diff --git a/datasets/attack_techniques/T1552/snapattack/snapattack.yml b/datasets/attack_techniques/T1552/snapattack/snapattack.yml new file mode 100644 index 000000000..2311f8880 --- /dev/null +++ b/datasets/attack_techniques/T1552/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: cb58c4d6-7939-4e07-8945-eca77710abd6 +date: '2026-04-01' +description: Generated datasets for Windows LAPS Password Gathering (Powershell) in + attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1552 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1552/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1553.002/snapattack/snapattack.log b/datasets/attack_techniques/T1553.002/snapattack/snapattack.log new file mode 100644 index 000000000..58108ac0e --- /dev/null +++ b/datasets/attack_techniques/T1553.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:01e238193ec73eb2b5895811857628c0b2d35bf59cbcb81e23cbecfd65e62c87 +size 3314 diff --git a/datasets/attack_techniques/T1553.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1553.002/snapattack/snapattack.yml new file mode 100644 index 000000000..92cc14da1 --- /dev/null +++ b/datasets/attack_techniques/T1553.002/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: df283512-6879-495b-8456-53a863ed5a8a +date: '2026-04-01' +description: Generated datasets for Windows Expired Signature in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1553.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1553.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1555.003/snapattack/snapattack.log b/datasets/attack_techniques/T1555.003/snapattack/snapattack.log new file mode 100644 index 000000000..1f38d3434 --- /dev/null +++ b/datasets/attack_techniques/T1555.003/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:047a77c7ecbd7012d3c7459753be081ee1daf0268dbb0376aeaaaf52b74d468f +size 9525 diff --git a/datasets/attack_techniques/T1555.003/snapattack/snapattack.yml b/datasets/attack_techniques/T1555.003/snapattack/snapattack.yml new file mode 100644 index 000000000..3f0ced9bc --- /dev/null +++ b/datasets/attack_techniques/T1555.003/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 42ba2c04-ed01-40a8-af61-c577abf44372 +date: '2026-04-01' +description: Generated datasets for Windows SapphireStealer Indicators in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1555.003 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1555.003/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1556.002/snapattack/snapattack.log b/datasets/attack_techniques/T1556.002/snapattack/snapattack.log new file mode 100644 index 000000000..2dd5c0147 --- /dev/null +++ b/datasets/attack_techniques/T1556.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:363121e2d8f9f420ad9d92b07fc2d690eb12340566281cad30618e76e410c49d +size 1254 diff --git a/datasets/attack_techniques/T1556.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1556.002/snapattack/snapattack.yml new file mode 100644 index 000000000..2921b9b67 --- /dev/null +++ b/datasets/attack_techniques/T1556.002/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: f04f48e9-ab85-4b2b-8205-1904c9302d49 +date: '2026-04-01' +description: Generated datasets for Windows Password Filter DLL in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1556.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1556.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1560.002/snapattack/snapattack.log b/datasets/attack_techniques/T1560.002/snapattack/snapattack.log new file mode 100644 index 000000000..1d5a5f802 --- /dev/null +++ b/datasets/attack_techniques/T1560.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:849ddc349dade2e6931c10ee2d66af1515e18c436306de6f6d6c1caa00c59a8d +size 1981 diff --git a/datasets/attack_techniques/T1560.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1560.002/snapattack/snapattack.yml new file mode 100644 index 000000000..7ecdd49eb --- /dev/null +++ b/datasets/attack_techniques/T1560.002/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 3678533c-0516-496e-b488-caaf9cdbbe46 +date: '2026-04-01' +description: Generated datasets for Windows Inline Compression via PowerShell in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1560.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1560.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1562.001/snapattack/snapattack.log b/datasets/attack_techniques/T1562.001/snapattack/snapattack.log new file mode 100644 index 000000000..10218f619 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc19e0c681cb39944eaa8bc9466514bfb63c3f9bfb5961a13bbc25d37396d7d6 +size 1215 diff --git a/datasets/attack_techniques/T1562.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1562.001/snapattack/snapattack.yml new file mode 100644 index 000000000..9338a94a3 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 6aa773e5-444c-4a85-8cd4-bda041588559 +date: '2026-04-01' +description: Generated datasets for Windows Defender Control Artifact in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1562.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1562.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1562.004/snapattack/snapattack.log b/datasets/attack_techniques/T1562.004/snapattack/snapattack.log new file mode 100644 index 000000000..902a2afa4 --- /dev/null +++ b/datasets/attack_techniques/T1562.004/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:74d58573599a41866de63b7cc892d922523b12440082bf9042b6f73862ba75f3 +size 1644 diff --git a/datasets/attack_techniques/T1562.004/snapattack/snapattack.yml b/datasets/attack_techniques/T1562.004/snapattack/snapattack.yml new file mode 100644 index 000000000..f2f70b44e --- /dev/null +++ b/datasets/attack_techniques/T1562.004/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 17ba91bc-f520-4b11-aaf5-260750e2f555 +date: '2026-04-01' +description: Generated datasets for Windows Port in Command Line in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1562.004 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1562.004/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1562.009/snapattack/snapattack.log b/datasets/attack_techniques/T1562.009/snapattack/snapattack.log new file mode 100644 index 000000000..6554130b1 --- /dev/null +++ b/datasets/attack_techniques/T1562.009/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:80cbcd002d88bf75a9bb9064ab7fb3faf16b8aed1cf60c5631190f24dad7f605 +size 1208 diff --git a/datasets/attack_techniques/T1562.009/snapattack/snapattack.yml b/datasets/attack_techniques/T1562.009/snapattack/snapattack.yml new file mode 100644 index 000000000..15b73781b --- /dev/null +++ b/datasets/attack_techniques/T1562.009/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: f1af43d6-2a35-48c4-b796-6ceb29f4c8a4 +date: '2026-04-01' +description: Generated datasets for Windows Registry Modification of BCD Configuration + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1562.009 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1562.009/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1562/snapattack/snapattack.log b/datasets/attack_techniques/T1562/snapattack/snapattack.log new file mode 100644 index 000000000..658f568a4 --- /dev/null +++ b/datasets/attack_techniques/T1562/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9262475cd0e61a7104b4330382019c66352e7d9f1301a3e7c3142f4c948a1de5 +size 9011 diff --git a/datasets/attack_techniques/T1562/snapattack/snapattack.yml b/datasets/attack_techniques/T1562/snapattack/snapattack.yml new file mode 100644 index 000000000..f6869eb74 --- /dev/null +++ b/datasets/attack_techniques/T1562/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 5d47289f-40f0-4cfa-a0fd-3fe124377e5a +date: '2026-04-01' +description: Generated datasets for Windows Defender Signatures Removed (Powershell) + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1562 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1562/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1564/snapattack/snapattack.log b/datasets/attack_techniques/T1564/snapattack/snapattack.log new file mode 100644 index 000000000..a683ff024 --- /dev/null +++ b/datasets/attack_techniques/T1564/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b2dd0d53ba080270b44bff45dffd292859283279f9aa0a43e7613ef3c02d6af5 +size 1492 diff --git a/datasets/attack_techniques/T1564/snapattack/snapattack.yml b/datasets/attack_techniques/T1564/snapattack/snapattack.yml new file mode 100644 index 000000000..d9b0a72b4 --- /dev/null +++ b/datasets/attack_techniques/T1564/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: d1045710-e8c2-4bc7-b28e-6b67cc10ae3a +date: '2026-04-01' +description: Generated datasets for Windows Possible Command Execution from ADS in + attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1564 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1564/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1566/snapattack/snapattack.log b/datasets/attack_techniques/T1566/snapattack/snapattack.log new file mode 100644 index 000000000..d580ec212 --- /dev/null +++ b/datasets/attack_techniques/T1566/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:68822466aa8d1d1ea667bd23dbc9e1b1934155bc494e44d62ad2d8b0cfa3dce9 +size 2472 diff --git a/datasets/attack_techniques/T1566/snapattack/snapattack.yml b/datasets/attack_techniques/T1566/snapattack/snapattack.yml new file mode 100644 index 000000000..3e64132a8 --- /dev/null +++ b/datasets/attack_techniques/T1566/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: b0bb28f7-ef8d-4fdf-ac7d-666ed1dc7e73 +date: '2026-04-01' +description: Generated datasets for Windows UDL File Opened - Registry in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1566 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1566/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1567.002/snapattack/snapattack.log b/datasets/attack_techniques/T1567.002/snapattack/snapattack.log new file mode 100644 index 000000000..77c67a84a --- /dev/null +++ b/datasets/attack_techniques/T1567.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:35424e75512f81ff14c5d0481abccb5c13f08dfa4e826ca1eb5a71f5893c0a98 +size 6085 diff --git a/datasets/attack_techniques/T1567.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1567.002/snapattack/snapattack.yml new file mode 100644 index 000000000..a15188b3d --- /dev/null +++ b/datasets/attack_techniques/T1567.002/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 9f061461-5800-4fe0-9c18-6600a22eecbf +date: '2026-04-01' +description: Generated datasets for Windows Azure Storage Tools in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1567.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1567.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1567/snapattack/snapattack.log b/datasets/attack_techniques/T1567/snapattack/snapattack.log new file mode 100644 index 000000000..d2222f035 --- /dev/null +++ b/datasets/attack_techniques/T1567/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1c28427bd1b9908377ba0a85654af7dcc240de93eeff6cc3d29c56a7c071298d +size 4126 diff --git a/datasets/attack_techniques/T1567/snapattack/snapattack.yml b/datasets/attack_techniques/T1567/snapattack/snapattack.yml new file mode 100644 index 000000000..57d9aa16d --- /dev/null +++ b/datasets/attack_techniques/T1567/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: ad9357a3-7af1-4395-8b81-f550cc8b58ce +date: '2026-04-01' +description: Generated datasets for Windows Suspicious Process Making DNS Request + for Slack.com in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1567 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1567/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1569/snapattack/snapattack.log b/datasets/attack_techniques/T1569/snapattack/snapattack.log new file mode 100644 index 000000000..cb98ea698 --- /dev/null +++ b/datasets/attack_techniques/T1569/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8833e9f362b7ddf8289f94b6b3b9507df96763bed7e2a8d7d7e542306a1199ca +size 3654 diff --git a/datasets/attack_techniques/T1569/snapattack/snapattack.yml b/datasets/attack_techniques/T1569/snapattack/snapattack.yml new file mode 100644 index 000000000..a842fad03 --- /dev/null +++ b/datasets/attack_techniques/T1569/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: f9943056-0f10-4d1f-8b1a-6accac11e2d7 +date: '2026-04-01' +description: Generated datasets for Windows Service Masquerading as IP Helper in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1569 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1569/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1570/snapattack/snapattack.log b/datasets/attack_techniques/T1570/snapattack/snapattack.log new file mode 100644 index 000000000..5ef05c290 --- /dev/null +++ b/datasets/attack_techniques/T1570/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2636df36ce2f1c17915cb5dbe6b4d57339763c7499f6f39defd5555201fa45fe +size 4122 diff --git a/datasets/attack_techniques/T1570/snapattack/snapattack.yml b/datasets/attack_techniques/T1570/snapattack/snapattack.yml new file mode 100644 index 000000000..109c957b3 --- /dev/null +++ b/datasets/attack_techniques/T1570/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: a201b4a7-4c56-4946-817f-83672fd87dff +date: '2026-04-01' +description: Generated datasets for Windows Suspicious Configuration Manager Connection + in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1570 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1570/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1572/snapattack/snapattack.log b/datasets/attack_techniques/T1572/snapattack/snapattack.log new file mode 100644 index 000000000..9fae79186 --- /dev/null +++ b/datasets/attack_techniques/T1572/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73d824363d407e73fdaa283a30641580911af3d1c3e895b561d02a113ee006fb +size 10344 diff --git a/datasets/attack_techniques/T1572/snapattack/snapattack.yml b/datasets/attack_techniques/T1572/snapattack/snapattack.yml new file mode 100644 index 000000000..8873e0d98 --- /dev/null +++ b/datasets/attack_techniques/T1572/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 9f9ef031-bbd8-4b05-b234-d0bfe383fee3 +date: '2026-04-01' +description: Generated datasets for Windows Cloudflared Network Connection in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1572 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1572/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1574.002/snapattack/snapattack.log b/datasets/attack_techniques/T1574.002/snapattack/snapattack.log new file mode 100644 index 000000000..93742068b --- /dev/null +++ b/datasets/attack_techniques/T1574.002/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:704d7f7a7dc23a458b81644ea5b73c265ec95828011738d69e02cec541a2d904 +size 15402 diff --git a/datasets/attack_techniques/T1574.002/snapattack/snapattack.yml b/datasets/attack_techniques/T1574.002/snapattack/snapattack.yml new file mode 100644 index 000000000..addb98ed1 --- /dev/null +++ b/datasets/attack_techniques/T1574.002/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 0d6be70c-1b48-433c-af22-4965ca077d83 +date: '2026-04-01' +description: Generated datasets for Windows CVE-2024-6769 File Indicators in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1574.002 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1574.002/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1574.008/snapattack/snapattack.log b/datasets/attack_techniques/T1574.008/snapattack/snapattack.log new file mode 100644 index 000000000..decb11d1b --- /dev/null +++ b/datasets/attack_techniques/T1574.008/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fdfe503aeef8c8efddb363efd4bc3c53c64490dc4687aa691c0a03d09260bcb2 +size 7666 diff --git a/datasets/attack_techniques/T1574.008/snapattack/snapattack.yml b/datasets/attack_techniques/T1574.008/snapattack/snapattack.yml new file mode 100644 index 000000000..a40eb4a12 --- /dev/null +++ b/datasets/attack_techniques/T1574.008/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: a6347eca-8597-4384-8b4b-ec0b8003f7cd +date: '2026-04-01' +description: Generated datasets for Windows Get-Variable.exe Establishing Network + Connections in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1574.008 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1574.008/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1574/snapattack/snapattack.log b/datasets/attack_techniques/T1574/snapattack/snapattack.log new file mode 100644 index 000000000..f2630f193 --- /dev/null +++ b/datasets/attack_techniques/T1574/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93b32c2e28f04ace8425adaf8ec020311986e604ba5658f02de61c3b5bef1ae3 +size 5835 diff --git a/datasets/attack_techniques/T1574/snapattack/snapattack.yml b/datasets/attack_techniques/T1574/snapattack/snapattack.yml new file mode 100644 index 000000000..8d2b04447 --- /dev/null +++ b/datasets/attack_techniques/T1574/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 43361f1d-a2cd-4534-8089-64d208d75416 +date: '2026-04-01' +description: Generated datasets for Windows DNS ServerLevelPlugin DLL Compromise in + attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1574 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1574/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1589.001/snapattack/snapattack.log b/datasets/attack_techniques/T1589.001/snapattack/snapattack.log new file mode 100644 index 000000000..663b9ee5f --- /dev/null +++ b/datasets/attack_techniques/T1589.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:55255e00600a5f11e2a58f2beffcdbd43552c4337c5638c0635cae8eb458a54f +size 1214 diff --git a/datasets/attack_techniques/T1589.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1589.001/snapattack/snapattack.yml new file mode 100644 index 000000000..10546784b --- /dev/null +++ b/datasets/attack_techniques/T1589.001/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 52cbbd8d-8b85-4aff-9095-70599a5aa093 +date: '2026-04-01' +description: Generated datasets for Windows Unusual LogonUI Activity in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1589.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1589.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1590/snapattack/snapattack.log b/datasets/attack_techniques/T1590/snapattack/snapattack.log new file mode 100644 index 000000000..ad999060f --- /dev/null +++ b/datasets/attack_techniques/T1590/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0516bdeaef61f4af32ebfec93f896f438ea4072a3486bb5dc6b2827c4b309980 +size 2626 diff --git a/datasets/attack_techniques/T1590/snapattack/snapattack.yml b/datasets/attack_techniques/T1590/snapattack/snapattack.yml new file mode 100644 index 000000000..3207f49b1 --- /dev/null +++ b/datasets/attack_techniques/T1590/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 4c171be5-c3e5-4d3b-8a0c-a2ce8d64cf82 +date: '2026-04-01' +description: Generated datasets for Windows Hacktool - WinPEAS.ps1 in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1590 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + path: /datasets/attack_techniques/T1590/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1595.001/snapattack/snapattack.log b/datasets/attack_techniques/T1595.001/snapattack/snapattack.log new file mode 100644 index 000000000..0c44888e8 --- /dev/null +++ b/datasets/attack_techniques/T1595.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:08655162ab12e6ff20c89409fafde95fe51cff1b58778de8125c33c8d5d93285 +size 1192 diff --git a/datasets/attack_techniques/T1595.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1595.001/snapattack/snapattack.yml new file mode 100644 index 000000000..bd4898c49 --- /dev/null +++ b/datasets/attack_techniques/T1595.001/snapattack/snapattack.yml @@ -0,0 +1,14 @@ +author: Raven Tait, Splunk +id: 039d3bdb-fc79-4a6f-881a-620a3ff36e59 +date: '2026-04-01' +description: Generated datasets for Windows Gogo Scanner File Indicator in attack + range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1595.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1595.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1595/snapattack/snapattack.log b/datasets/attack_techniques/T1595/snapattack/snapattack.log new file mode 100644 index 000000000..47819fc2b --- /dev/null +++ b/datasets/attack_techniques/T1595/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7da0d8bbe67613cf223b0eb88eaf1627a989f9466430958adc9f84665cc91b8f +size 1541 diff --git a/datasets/attack_techniques/T1595/snapattack/snapattack.yml b/datasets/attack_techniques/T1595/snapattack/snapattack.yml new file mode 100644 index 000000000..898f05a59 --- /dev/null +++ b/datasets/attack_techniques/T1595/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 9f41bb24-0cbb-4024-9beb-2d62ccd56093 +date: '2026-04-01' +description: Generated datasets for Windows Netspy Network Scanner in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1595 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security + path: /datasets/attack_techniques/T1595/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1608.001/snapattack/snapattack.log b/datasets/attack_techniques/T1608.001/snapattack/snapattack.log new file mode 100644 index 000000000..ce3206874 --- /dev/null +++ b/datasets/attack_techniques/T1608.001/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:123c8eee1e4362bc4e0ce347583529cade4aa0c77236e0b2ae25c83e9727f85f +size 4790 diff --git a/datasets/attack_techniques/T1608.001/snapattack/snapattack.yml b/datasets/attack_techniques/T1608.001/snapattack/snapattack.yml new file mode 100644 index 000000000..b7ad3af9e --- /dev/null +++ b/datasets/attack_techniques/T1608.001/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: 9c0441e6-0e99-4c61-b709-306848e88740 +date: '2026-04-01' +description: Generated datasets for Windows Fake zero-day PoC Malware in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1608.001 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1608.001/snapattack/snaattack.log diff --git a/datasets/attack_techniques/T1608/snapattack/snapattack.log b/datasets/attack_techniques/T1608/snapattack/snapattack.log new file mode 100644 index 000000000..6e8853d31 --- /dev/null +++ b/datasets/attack_techniques/T1608/snapattack/snapattack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fa5e1367dbf9c9b231a1c1051e17500ba33d691fff3ffed7fc7319bf05ae2895 +size 17998 diff --git a/datasets/attack_techniques/T1608/snapattack/snapattack.yml b/datasets/attack_techniques/T1608/snapattack/snapattack.yml new file mode 100644 index 000000000..266822213 --- /dev/null +++ b/datasets/attack_techniques/T1608/snapattack/snapattack.yml @@ -0,0 +1,13 @@ +author: Raven Tait, Splunk +id: f7a29d1d-e687-4232-a65c-1078f62d9d73 +date: '2026-04-01' +description: Generated datasets for Windows Amadey File Indicators in attack range. +environment: attack_range +directory: snapattack +mitre_technique: +- T1608 +datasets: +- name: snapattack + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + path: /datasets/attack_techniques/T1608/snapattack/snaattack.log