GitHub Repo

Simulated attacks using Unicorn, Cobalt Strike, an...

Date: 2021-04-20 ID: cc9b2608-efc9-11eb-926b-550bf0943fbb Author: Michael Haag Environment: attack_range Directory: Unknown

Description

Simulated attacks using Unicorn, Cobalt Strike, and Metasploit. These tests all include macros and a Office Product spawning a process.

MITRE ATT&CK Techniques

No MITRE techniques specified for this dataset.

Environment Details

Field Value
Environment attack_range
Directory Unknown
Test Date 2021-04-20

Datasets

The following datasets were collected during this attack simulation:

Dataset_1

  • Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log
  • Sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Dataset_2

  • Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log
  • Sourcetype: unknown
  • Source: unknown

Dataset_3

  • Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_wsh.log
  • Sourcetype: unknown
  • Source: unknown

Dataset_4

  • Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log
  • Sourcetype: unknown
  • Source: unknown

Dataset_5

  • Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log
  • Sourcetype: unknown
  • Source: unknown

Dataset_6

  • Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log
  • Sourcetype: unknown
  • Source: unknown

Dataset_7

  • Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log
  • Sourcetype: unknown
  • Source: unknown

Dataset_8

  • Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt-windows-security.log
  • Sourcetype: unknown
  • Source: unknown

No specific detections currently use this attack data for testing. However, you can find related detections and analytics in our security content repository.

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log --index attack_data

Manual Import

  1. Download the dataset files from the paths listed above
  2. Configure your Splunk instance with the appropriate sourcetypes
  3. Import the logs using the Splunk Add Data wizard

Related Content

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0