Merge pull request #1099 from splunk/fix_cwd_path_detections

tccontre · web-flow · commit 3f178b720458 · 2025-11-27T16:19:13.000+01:00
fix_cwd_path_detections
diff --git a/datasets/attack_techniques/T1053.003/auditd_path_cron/auditd_path_cron.yml b/datasets/attack_techniques/T1053.003/auditd_path_cron/auditd_path_cron.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: ebb93346-cab0-11f0-9d54-629be353806a
+date: '2025-11-26'
+description: Generated datasets for auditd path cron in attack range.
+environment: attack_range
+directory: auditd_path_cron
+mitre_technique:
+- T1053.003
+datasets:
+- name: path_cron.log
+  path: /datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log
+  sourcetype: 'auditd'
+  source: 'auditd'
diff --git a/datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log b/datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d1781b8eef7b1b634222d6cbc00044798f5ccadd1130de8517059f39ccec57cc
+size 2790
diff --git a/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/auditd_path_ssh_config.yml b/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/auditd_path_ssh_config.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: 30034558-caa9-11f0-9d54-629be353806a
+date: '2025-11-26'
+description: Generated datasets for auditd path ssh config in attack range.
+environment: attack_range
+directory: auditd_path_ssh_config
+mitre_technique:
+- T1098.004
+datasets:
+- name: path_ssh_config.log
+  path: /datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log
+  sourcetype: 'auditd'
+  source: 'auditd'
diff --git a/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log b/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:221486c9e0f0e8101de8d8f2198586f3119bf6e6548de6804aa00da26e2ea8e4
+size 1441
diff --git a/datasets/attack_techniques/T1529/auditd_path_sysrq/auditd_path_sysrq.yml b/datasets/attack_techniques/T1529/auditd_path_sysrq/auditd_path_sysrq.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: f685a614-cab1-11f0-9d54-629be353806a
+date: '2025-11-26'
+description: Generated datasets for auditd path sysrq in attack range.
+environment: attack_range
+directory: auditd_path_sysrq
+mitre_technique:
+- T1529
+datasets:
+- name: path_sysrq.log
+  path: /datasets/attack_techniques/T1529/auditd_path_sysrq/path_sysrq.log
+  sourcetype: 'auditd'
+  source: 'auditd'
diff --git a/datasets/attack_techniques/T1529/auditd_path_sysrq/path_sysrq.log b/datasets/attack_techniques/T1529/auditd_path_sysrq/path_sysrq.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6c4ca9e6150c822cf1b12e8a1090e0f1007b084fb0f8ab0c330d289516f7d823
+size 523
diff --git a/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/auditd_path_cwd_doas_conf.yml b/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/auditd_path_cwd_doas_conf.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: af16a08e-caa8-11f0-9d54-629be353806a
+date: '2025-11-26'
+description: Generated datasets for auditd path cwd doas conf in attack range.
+environment: attack_range
+directory: auditd_path_cwd_doas_conf
+mitre_technique:
+- T1548.003
+datasets:
+- name: path_doas.log
+  path: /datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log
+  sourcetype: 'auditd'
+  source: 'auditd'
diff --git a/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log b/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42b3a666077a4b1f6335788d5cc3d358b6a9e83c8cf2ef3f309f9727bed6fa0a
+size 1206
diff --git a/datasets/attack_techniques/T1548.003/auditd_path_sudoers/auditd_path_sudoers.yml b/datasets/attack_techniques/T1548.003/auditd_path_sudoers/auditd_path_sudoers.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: 982cabce-caa9-11f0-9d54-629be353806a
+date: '2025-11-26'
+description: Generated datasets for auditd path sudoers in attack range.
+environment: attack_range
+directory: auditd_path_sudoers
+mitre_technique:
+- T1548.003
+datasets:
+- name: path_sudoers.log
+  path: /datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log
+  sourcetype: 'auditd'
+  source: 'auditd'
diff --git a/datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log b/datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:31daf0628fc00efcb59f410b9376b6f9220d12eac5137bd58eee91a97b2c22cc
+size 765
diff --git a/datasets/attack_techniques/T1574.006/auditd_path_preload_file/auditd_path_preload_file.yml b/datasets/attack_techniques/T1574.006/auditd_path_preload_file/auditd_path_preload_file.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: 371a046e-cab1-11f0-9d54-629be353806a
+date: '2025-11-26'
+description: Generated datasets for auditd path preload file in attack range.
+environment: attack_range
+directory: auditd_path_preload_file
+mitre_technique:
+- T1574.006
+datasets:
+- name: path_preload.log
+  path: /datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log
+  sourcetype: 'auditd'
+  source: 'auditd'
diff --git a/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log b/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bf0e1802bdc54ca88f641f7e33088f48596afd026d4955bc52a0d8b6c5c720f3
+size 1488

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:d1781b8eef7b1b634222d6cbc00044798f5ccadd1130de8517059f39ccec57cc`
	`3`	`+size 2790`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:221486c9e0f0e8101de8d8f2198586f3119bf6e6548de6804aa00da26e2ea8e4`
	`3`	`+size 1441`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:6c4ca9e6150c822cf1b12e8a1090e0f1007b084fb0f8ab0c330d289516f7d823`
	`3`	`+size 523`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:42b3a666077a4b1f6335788d5cc3d358b6a9e83c8cf2ef3f309f9727bed6fa0a`
	`3`	`+size 1206`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:31daf0628fc00efcb59f410b9376b6f9220d12eac5137bd58eee91a97b2c22cc`
	`3`	`+size 765`