From 33547ef546e5f3a9a8f37694a038029cf2c8b323 Mon Sep 17 00:00:00 2001 From: MHaggis <5632822+MHaggis@users.noreply.github.com> Date: Tue, 28 Oct 2025 10:02:08 -0600 Subject: [PATCH 1/4] git workflow --- .../T1195.001/npm/npm_supply_chain.yml | 12 ++++++++++++ .../T1195.001/npm/workflow_yml_sysmon.log | 3 +++ 2 files changed, 15 insertions(+) create mode 100644 datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml create mode 100644 datasets/attack_techniques/T1195.001/npm/workflow_yml_sysmon.log diff --git a/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml b/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml new file mode 100644 index 00000000..6038c2ca --- /dev/null +++ b/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml @@ -0,0 +1,12 @@ +author: Michael Haag, Splunk +id: 0e029cfc-ce81-48c4-ba74-598afa1ddbba +date: '2025-10-28' +description: Dataset generated in attack range for the attack technique of npm supply chain. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/npm/workflow_yml_sysmon.log +sourcetypes: +- sysmon:linux +- sysmon:windows +references: +- https://attack.mitre.org/techniques/T1195 \ No newline at end of file diff --git a/datasets/attack_techniques/T1195.001/npm/workflow_yml_sysmon.log b/datasets/attack_techniques/T1195.001/npm/workflow_yml_sysmon.log new file mode 100644 index 00000000..81485fcc --- /dev/null +++ b/datasets/attack_techniques/T1195.001/npm/workflow_yml_sysmon.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3a57a9a1933720890fd70c23684349f82d9182f33044ffff7009c7330b001e71 +size 22920 From 3b509c133bf6dbb07a378858a56147b5b28f8c3b Mon Sep 17 00:00:00 2001 From: MHaggis <5632822+MHaggis@users.noreply.github.com> Date: Tue, 28 Oct 2025 10:07:35 -0600 Subject: [PATCH 2/4] Update npm_supply_chain.yml --- .../T1195.001/npm/npm_supply_chain.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml b/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml index 6038c2ca..35d2acf1 100644 --- a/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml +++ b/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml @@ -3,10 +3,11 @@ id: 0e029cfc-ce81-48c4-ba74-598afa1ddbba date: '2025-10-28' description: Dataset generated in attack range for the attack technique of npm supply chain. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/npm/workflow_yml_sysmon.log -sourcetypes: -- sysmon:linux -- sysmon:windows -references: -- https://attack.mitre.org/techniques/T1195 \ No newline at end of file +directory: npm +mitre_technique: +- T1195.001 +datasets: +- name: workflow_yml_sysmon_linux + path: /datasets/attack_techniques/T1195.001/npm/workflow_yml_sysmon.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational \ No newline at end of file From 7751e3d086666e5457ad904874e7eae31133b9ef Mon Sep 17 00:00:00 2001 From: MHaggis <5632822+MHaggis@users.noreply.github.com> Date: Tue, 28 Oct 2025 10:53:09 -0600 Subject: [PATCH 3/4] 1 more --- datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml | 4 ++++ .../T1195.001/npm/shai_hulud_workflow_sysmon.log | 3 +++ 2 files changed, 7 insertions(+) create mode 100644 datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log diff --git a/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml b/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml index 35d2acf1..bd3b82cb 100644 --- a/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml +++ b/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml @@ -10,4 +10,8 @@ datasets: - name: workflow_yml_sysmon_linux path: /datasets/attack_techniques/T1195.001/npm/workflow_yml_sysmon.log sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational +- name: shai_hulud_workflow_sysmon + path: /datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log + sourcetype: sysmon:linux source: Syslog:Linux-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log b/datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log new file mode 100644 index 00000000..00cac1db --- /dev/null +++ b/datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:23a4fb324372db0799d122661a62f342f2f5e999e28c8f619c0d003ba0c6715a +size 17001 From 26856c7bbc63599f1fe1fa4a010f6944ca3745fb Mon Sep 17 00:00:00 2001 From: MHaggis <5632822+MHaggis@users.noreply.github.com> Date: Tue, 25 Nov 2025 08:35:12 -0700 Subject: [PATCH 4/4] npms --- .../attack_techniques/T1195.001/npm/npm_supply_chain.yml | 6 +++++- .../T1195.001/npm/shai_hulud_workflow_sysmon.log | 4 ++-- .../T1195.001/npm/windows_workflow_sysmon.log | 3 +++ 3 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 datasets/attack_techniques/T1195.001/npm/windows_workflow_sysmon.log diff --git a/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml b/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml index bd3b82cb..6988d808 100644 --- a/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml +++ b/datasets/attack_techniques/T1195.001/npm/npm_supply_chain.yml @@ -14,4 +14,8 @@ datasets: - name: shai_hulud_workflow_sysmon path: /datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational \ No newline at end of file + source: Syslog:Linux-Sysmon/Operational +- name: windows_workflow_sysmon + path: /datasets/attack_techniques/T1195.001/npm/windows_workflow_sysmon.log + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log b/datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log index 00cac1db..f28d348a 100644 --- a/datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log +++ b/datasets/attack_techniques/T1195.001/npm/shai_hulud_workflow_sysmon.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:23a4fb324372db0799d122661a62f342f2f5e999e28c8f619c0d003ba0c6715a -size 17001 +oid sha256:07d7235f1a63513ddb92fe8fb7d45e4f1afcdb90e0b5e8381aeb2f0847447980 +size 21532 diff --git a/datasets/attack_techniques/T1195.001/npm/windows_workflow_sysmon.log b/datasets/attack_techniques/T1195.001/npm/windows_workflow_sysmon.log new file mode 100644 index 00000000..e91beb12 --- /dev/null +++ b/datasets/attack_techniques/T1195.001/npm/windows_workflow_sysmon.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7d97125aa89a44a943604a166b58c8852d95f44d30fa0309cb3d92f2c6c8d6ca +size 13192