From a3a6f2234f46942e7e535da6ffc4193929b0352f Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 19 Mar 2021 14:38:00 +0100 Subject: [PATCH 01/25] small change --- detections/endpoint/access_lsass_memory_for_dump_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index eadbd405d5..c67717e04f 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -49,4 +49,4 @@ tags: - TargetProcessId - SourceImage - SourceProcessId - security_domain: endpoint + security_domain: endpoint \ No newline at end of file From 7bad2fa97584b99a656ebbeb9a6f5720800e9dc8 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 19 Mar 2021 15:10:26 +0100 Subject: [PATCH 02/25] new detection tests --- ...credential_extraction_fgdump_cachedump_v_option.test.yml | 5 ++++- ..._credential_extraction_getaddbaccount_from_dump.test.yml | 6 ++++-- ...__credential_extraction_lazagne_command_options.test.yml | 6 ++++-- .../ssa___credential_extraction_mimikatz_modules.test.yml | 5 ++++- ..._credential_extraction_ms_debuggers_kernel_peek.test.yml | 6 ++++-- ...a___credential_extraction_ms_debuggers_z_option.test.yml | 6 ++++-- ...ssa___credential_extraction_powersploit_modules.test.yml | 6 ++++-- 7 files changed, 28 insertions(+), 12 deletions(-) diff --git a/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_v_option.test.yml b/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_v_option.test.yml index dc0e53e26f..f572408a4d 100644 --- a/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_v_option.test.yml +++ b/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_v_option.test.yml @@ -6,4 +6,7 @@ tests: description: Test credential extraction detections attack_data: - file_name: logFgdump.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logFgdump.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logFgdump.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True \ No newline at end of file diff --git a/tests/endpoint/ssa___credential_extraction_getaddbaccount_from_dump.test.yml b/tests/endpoint/ssa___credential_extraction_getaddbaccount_from_dump.test.yml index 3c173cc10f..4e8e29d7cc 100644 --- a/tests/endpoint/ssa___credential_extraction_getaddbaccount_from_dump.test.yml +++ b/tests/endpoint/ssa___credential_extraction_getaddbaccount_from_dump.test.yml @@ -6,5 +6,7 @@ tests: description: Test credential extraction detections attack_data: - file_name: logPowerShellModule.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logPowerShellModule.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logPowerShellModule.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_lazagne_command_options.test.yml b/tests/endpoint/ssa___credential_extraction_lazagne_command_options.test.yml index d4c9e06189..18ebe75967 100644 --- a/tests/endpoint/ssa___credential_extraction_lazagne_command_options.test.yml +++ b/tests/endpoint/ssa___credential_extraction_lazagne_command_options.test.yml @@ -6,5 +6,7 @@ tests: description: Test credential extraction detections attack_data: - file_name: logLazagneCredDump.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logLazagneCredDump.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLazagneCredDump.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_mimikatz_modules.test.yml b/tests/endpoint/ssa___credential_extraction_mimikatz_modules.test.yml index e460bc3757..262e694420 100644 --- a/tests/endpoint/ssa___credential_extraction_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___credential_extraction_mimikatz_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test credential extraction detections attack_data: - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_ms_debuggers_kernel_peek.test.yml b/tests/endpoint/ssa___credential_extraction_ms_debuggers_kernel_peek.test.yml index 3b1d98728d..5969a15fd8 100644 --- a/tests/endpoint/ssa___credential_extraction_ms_debuggers_kernel_peek.test.yml +++ b/tests/endpoint/ssa___credential_extraction_ms_debuggers_kernel_peek.test.yml @@ -6,5 +6,7 @@ tests: description: Test credential extraction detections attack_data: - file_name: logLiveKDFullKernelDump.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logLiveKDFullKernelDump.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLiveKDFullKernelDump.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_ms_debuggers_z_option.test.yml b/tests/endpoint/ssa___credential_extraction_ms_debuggers_z_option.test.yml index f7d02548e6..a9d5d4b648 100644 --- a/tests/endpoint/ssa___credential_extraction_ms_debuggers_z_option.test.yml +++ b/tests/endpoint/ssa___credential_extraction_ms_debuggers_z_option.test.yml @@ -6,5 +6,7 @@ tests: description: Test credential extraction detections attack_data: - file_name: logLiveKDFullKernelDump.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logLiveKDFullKernelDump.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLiveKDFullKernelDump.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_powersploit_modules.test.yml b/tests/endpoint/ssa___credential_extraction_powersploit_modules.test.yml index c0dc7b4ab3..c238c25b02 100644 --- a/tests/endpoint/ssa___credential_extraction_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___credential_extraction_powersploit_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test credential extraction detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True From c23ae177aefa2f36aeeebce280ed3d9b536b59eb Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 19 Mar 2021 16:22:06 +0100 Subject: [PATCH 03/25] new detection test --- bin/ssa-end-to-end-testing/modules/utils.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/bin/ssa-end-to-end-testing/modules/utils.py b/bin/ssa-end-to-end-testing/modules/utils.py index b6c5cc7ede..7f8406be5d 100644 --- a/bin/ssa-end-to-end-testing/modules/utils.py +++ b/bin/ssa-end-to-end-testing/modules/utils.py @@ -112,17 +112,19 @@ def read_data(file_name): date_rex = r'\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [AP]M' count = len(open(modified_file).readlines()) i = 0 + tmp_counter = 0 for line in fileinput.input(files=modified_file): i = i + 1 if event != "" and re.match(date_rex, line): data.append(event) + tmp_counter = 0 event = line else: + tmp_counter = tmp_counter + 1 event = event + line - if i == count: - if len(data) == 0: - data.append(event) + if i == count and tmp_counter > 10: + data.append(event) return data From 783a144cd7a5c282298e71aaf90d2ca75efbfea2 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 19 Mar 2021 16:54:10 +0100 Subject: [PATCH 04/25] new detection test --- .gitlab-ci.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3a83aa52c6..a338e32925 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -23,8 +23,6 @@ validate: - python3 bin/ssa_validate.py --skip-error detections/*/* - python3 bin/ssa_test.py --skip-error tests/*/* - python3 bin/testing_coverage.py --type streaming --min-coverage 1.0 - only: - - /^ssa.*$/ publish_deployer: stage: publish_deployer @@ -36,8 +34,6 @@ publish_deployer: - cd bin/ssa-end-to-end-testing/k8s-deployer - docker build . -t ${K8_DEPLOYER_CONTAINER}:${CI_COMMIT_SHORT_SHA} - docker push ${K8_DEPLOYER_CONTAINER}:${CI_COMMIT_SHORT_SHA} - only: - - /^ssa.*$/ publish_smoketest_runner: stage: publish_smoketest_runner @@ -48,8 +44,6 @@ publish_smoketest_runner: - eval $(go-go vault -a ${DOCKER_ROLE}) - docker build bin/ssa-end-to-end-testing/smoke-test-runner -t ${SMOKETEST_RUNNER}:${CI_COMMIT_SHORT_SHA} --build-arg SRCBRANCH=$CI_COMMIT_REF_NAME - docker push ${SMOKETEST_RUNNER}:${CI_COMMIT_SHORT_SHA} - only: - - /^ssa.*$/ smoketest_staging: stage: smoketest_staging @@ -67,5 +61,3 @@ smoketest_staging: variables: SCSENV: app_staging1 SMOKETEST_RUNNER_IMAGE: ${SMOKETEST_RUNNER}:${CI_COMMIT_SHORT_SHA} - only: - - /^ssa.*$/ From 75e9a8c2fb7add0bbe518ae9f9bbe840c978e915 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 19 Mar 2021 16:56:29 +0100 Subject: [PATCH 05/25] new detection test --- .gitlab-ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a338e32925..3a83aa52c6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -23,6 +23,8 @@ validate: - python3 bin/ssa_validate.py --skip-error detections/*/* - python3 bin/ssa_test.py --skip-error tests/*/* - python3 bin/testing_coverage.py --type streaming --min-coverage 1.0 + only: + - /^ssa.*$/ publish_deployer: stage: publish_deployer @@ -34,6 +36,8 @@ publish_deployer: - cd bin/ssa-end-to-end-testing/k8s-deployer - docker build . -t ${K8_DEPLOYER_CONTAINER}:${CI_COMMIT_SHORT_SHA} - docker push ${K8_DEPLOYER_CONTAINER}:${CI_COMMIT_SHORT_SHA} + only: + - /^ssa.*$/ publish_smoketest_runner: stage: publish_smoketest_runner @@ -44,6 +48,8 @@ publish_smoketest_runner: - eval $(go-go vault -a ${DOCKER_ROLE}) - docker build bin/ssa-end-to-end-testing/smoke-test-runner -t ${SMOKETEST_RUNNER}:${CI_COMMIT_SHORT_SHA} --build-arg SRCBRANCH=$CI_COMMIT_REF_NAME - docker push ${SMOKETEST_RUNNER}:${CI_COMMIT_SHORT_SHA} + only: + - /^ssa.*$/ smoketest_staging: stage: smoketest_staging @@ -61,3 +67,5 @@ smoketest_staging: variables: SCSENV: app_staging1 SMOKETEST_RUNNER_IMAGE: ${SMOKETEST_RUNNER}:${CI_COMMIT_SHORT_SHA} + only: + - /^ssa.*$/ From 5fc3209293aef79ccc3f47769193b93768ef6709 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Mon, 22 Mar 2021 09:22:44 +0100 Subject: [PATCH 06/25] SSA detection tests updated --- ...gal_access_user_content_via_powersploit_modules.test.yml | 6 ++++-- ...llegal_account_creation_via_powersploit_modules.test.yml | 5 ++++- ..._account_enable_disable_via_dsinternals_modules.test.yml | 6 ++++-- ...ssa___illegal_log_deletion_via_mimikatz_modules.test.yml | 6 ++++-- ...D_elements_and_policies_via_dsinternals_modules.test.yml | 5 ++++- ...mputers_and_AD_elements_via_powersploit_modules.test.yml | 6 ++++-- ...evation_and_persistence_via_powersploit_modules.test.yml | 6 ++++-- ...llegal_privilege_elevation_via_mimikatz_modules.test.yml | 6 ++++-- ...ervice_and_process_control_via_mimikatz_modules.test.yml | 6 ++++-- ...ice_and_process_control_via_powersploit_modules.test.yml | 6 ++++-- 10 files changed, 40 insertions(+), 18 deletions(-) diff --git a/tests/endpoint/ssa___illegal_access_user_content_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_access_user_content_via_powersploit_modules.test.yml index fa30ad2024..2a3ed57b68 100644 --- a/tests/endpoint/ssa___illegal_access_user_content_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_access_user_content_via_powersploit_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test illegal access to user content detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/illegal_access_to_content/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_account_creation_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_account_creation_via_powersploit_modules.test.yml index 72e29e3c8e..10423476c6 100644 --- a/tests/endpoint/ssa___illegal_account_creation_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_account_creation_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test illegal account creation detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/illegal_access_to_content/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_account_enable_disable_via_dsinternals_modules.test.yml b/tests/endpoint/ssa___illegal_account_enable_disable_via_dsinternals_modules.test.yml index 937c8448a7..baeba55003 100644 --- a/tests/endpoint/ssa___illegal_account_enable_disable_via_dsinternals_modules.test.yml +++ b/tests/endpoint/ssa___illegal_account_enable_disable_via_dsinternals_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test enabling or disabling of accounts detections attack_data: - file_name: logAllDSInternalsModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllDSInternalsModules.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/logAllDSInternalsModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True \ No newline at end of file diff --git a/tests/endpoint/ssa___illegal_log_deletion_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___illegal_log_deletion_via_mimikatz_modules.test.yml index 7c612b8095..fc161aa338 100644 --- a/tests/endpoint/ssa___illegal_log_deletion_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___illegal_log_deletion_via_mimikatz_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test illegal log deletion detections attack_data: - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/illegal_log_deletion/logAllMimikatzModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_management_AD_elements_and_policies_via_dsinternals_modules.test.yml b/tests/endpoint/ssa___illegal_management_AD_elements_and_policies_via_dsinternals_modules.test.yml index 46b465d5e4..627f7de3d6 100644 --- a/tests/endpoint/ssa___illegal_management_AD_elements_and_policies_via_dsinternals_modules.test.yml +++ b/tests/endpoint/ssa___illegal_management_AD_elements_and_policies_via_dsinternals_modules.test.yml @@ -6,4 +6,7 @@ tests: description: Test illegal management of Active Directory elements and policies detections attack_data: - file_name: logAllDSInternalsModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllDSInternalsModules.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/logAllDSInternalsModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True \ No newline at end of file diff --git a/tests/endpoint/ssa___illegal_management_computers_and_AD_elements_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_management_computers_and_AD_elements_via_powersploit_modules.test.yml index 1044d859c0..cb73e27946 100644 --- a/tests/endpoint/ssa___illegal_management_computers_and_AD_elements_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_management_computers_and_AD_elements_via_powersploit_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test illegal management of computers and Active Directory elements detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_privilege_elevation_and_persistence_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_privilege_elevation_and_persistence_via_powersploit_modules.test.yml index a308e881c6..2408924400 100644 --- a/tests/endpoint/ssa___illegal_privilege_elevation_and_persistence_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_privilege_elevation_and_persistence_via_powersploit_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test privilege elevation and persistence detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_privilege_elevation_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___illegal_privilege_elevation_via_mimikatz_modules.test.yml index a76d25e773..8a5d80300b 100644 --- a/tests/endpoint/ssa___illegal_privilege_elevation_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___illegal_privilege_elevation_via_mimikatz_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test illegal privilege elevation detections attack_data: - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/logAllMimikatzModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml index 928c6bbf91..a2251575dd 100644 --- a/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test illegal service and process control detections attack_data: - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569/logAllMimikatzModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml index 8e18aaad1f..8b6941d7ff 100644 --- a/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test illegal service and process control detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True From 791b6f112607160215eafdda6c5b278d285bfb8c Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 23 Mar 2021 09:50:29 +0100 Subject: [PATCH 07/25] increases max timeout limit --- .../k8s-deployer/k8s/components/smoketest.jsonnet | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/ssa-end-to-end-testing/k8s-deployer/k8s/components/smoketest.jsonnet b/bin/ssa-end-to-end-testing/k8s-deployer/k8s/components/smoketest.jsonnet index 38185080a2..5ec6abe30d 100644 --- a/bin/ssa-end-to-end-testing/k8s-deployer/k8s/components/smoketest.jsonnet +++ b/bin/ssa-end-to-end-testing/k8s-deployer/k8s/components/smoketest.jsonnet @@ -13,7 +13,7 @@ local job = { }, }, spec: { - activeDeadlineSeconds: 1800, + activeDeadlineSeconds: 3600, ttlSecondsAfterFinished: 100, template: { metadata: { From e3e4e2b5127e23f079a47ee5b1cad259501d89d4 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 23 Mar 2021 11:06:15 +0100 Subject: [PATCH 08/25] bug fixes test files --- ...illegal_service_and_process_control_via_mimikatz_modules.yml | 2 +- ...egal_service_and_process_control_via_powersploit_modules.yml | 2 +- ...al_service_and_process_control_via_mimikatz_modules.test.yml | 2 +- ...service_and_process_control_via_powersploit_modules.test.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.yml b/detections/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.yml index baab480bfc..7916763b24 100644 --- a/detections/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.yml +++ b/detections/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.yml @@ -33,7 +33,7 @@ tags: - CIS 16 - CIS 20 dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569/logAllMimikatzModules.log + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log kill_chain_phases: - Actions on Objectives mitre_attack_id: diff --git a/detections/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.yml b/detections/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.yml index f8c7d76cbe..b05ea482f9 100644 --- a/detections/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.yml +++ b/detections/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.yml @@ -42,7 +42,7 @@ tags: - CIS 16 - CIS 20 dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569/logAllPowerSploitModulesWithOldNames.log + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log kill_chain_phases: - Actions on Objectives mitre_attack_id: diff --git a/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml index a2251575dd..1d6249f697 100644 --- a/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml @@ -6,7 +6,7 @@ tests: description: Test illegal service and process control detections attack_data: - file_name: logAllMimikatzModules.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569/logAllMimikatzModules.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security sourcetype: xmlwineventlog update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml index 8b6941d7ff..9d7b249047 100644 --- a/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml @@ -6,7 +6,7 @@ tests: description: Test illegal service and process control detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security sourcetype: xmlwineventlog update_timestamp: True From fc1d74b624c9940226b1a66e7de960120680b3e4 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 23 Mar 2021 11:29:05 +0100 Subject: [PATCH 09/25] bug fixes test files --- bin/ssa-end-to-end-testing/modules/github_service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/ssa-end-to-end-testing/modules/github_service.py b/bin/ssa-end-to-end-testing/modules/github_service.py index 09e13de335..acf260164b 100644 --- a/bin/ssa-end-to-end-testing/modules/github_service.py +++ b/bin/ssa-end-to-end-testing/modules/github_service.py @@ -27,7 +27,7 @@ def get_changed_test_files_ssa(self): branch1 = self.security_content_branch branch2 = 'develop' g = git.Git('security_content') - differ = g.diff('--name-only', branch1, branch2) + differ = g.diff('--name-only --diff-filter=AMR', branch1, branch2) changed_files = differ.splitlines() changed_ssa_test_files = [] From 275c5a4dfb0e7f02421b540210d5e7b6a5841d53 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 23 Mar 2021 11:55:56 +0100 Subject: [PATCH 10/25] bug fix --- bin/ssa-end-to-end-testing/modules/github_service.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/bin/ssa-end-to-end-testing/modules/github_service.py b/bin/ssa-end-to-end-testing/modules/github_service.py index acf260164b..bfc5cc2f03 100644 --- a/bin/ssa-end-to-end-testing/modules/github_service.py +++ b/bin/ssa-end-to-end-testing/modules/github_service.py @@ -27,7 +27,7 @@ def get_changed_test_files_ssa(self): branch1 = self.security_content_branch branch2 = 'develop' g = git.Git('security_content') - differ = g.diff('--name-only --diff-filter=AMR', branch1, branch2) + differ = g.diff('--name-only', branch1, branch2) changed_files = differ.splitlines() changed_ssa_test_files = [] @@ -44,8 +44,6 @@ def get_changed_test_files_ssa(self): if os.path.basename(file_path).startswith('ssa'): file_path_base = os.path.splitext(file_path)[0].replace('detections', 'tests') + '.test' file_path_new = file_path_base + '.yml' - if not os.path.exists(file_path_new): - file_path_new = file_path_base + '.yaml' if file_path_new not in changed_ssa_test_files: changed_ssa_test_files.append(file_path_new) From e08b1ab9a983022c16d128366617e76928d0847d Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 23 Mar 2021 13:09:50 +0100 Subject: [PATCH 11/25] testing ssa detections --- ...ith_stolen_credentials_via_powersploit_modules.test.yml | 6 ++++-- ...sistence_opportunities_via_powersploit_modules.test.yml | 6 ++++-- ...counts_groups_policies_via_powersploit_modules.test.yml | 5 ++++- ...n_and_use_accounts_groups_via_mimikatz_modules.test.yml | 7 +++++-- ...rectory_infrastructure_via_powersploit_modules.test.yml | 5 ++++- ..._use_computers_domains_via_powersploit_modules.test.yml | 5 ++++- ...__recon_and_use_computers_via_mimikatz_modules.test.yml | 7 +++++-- ...rating_system_elements_via_powersploit_modules.test.yml | 5 ++++- ...sa___recon_and_use_shares_via_mimikatz_modules.test.yml | 6 ++++-- ...__recon_and_use_shares_via_powersploit_modules.test.yml | 5 ++++- ...a___recon_connectivity_via_powersploit_modules.test.yml | 5 ++++- ...ntial_stores_and_services_via_mimikatz_modules.test.yml | 6 ++++-- ..._recon_defensive_tools_via_powersploit_modules.test.yml | 5 ++++- ...calation_opportunities_via_powersploit_modules.test.yml | 5 ++++- ...process_service_hijacking_via_mimikatz_modules.test.yml | 5 ++++- ...on_processes_and_services_via_mimikatz_modules.test.yml | 5 ++++- ...___setting_credentials_via_dsinternals_modules.test.yml | 6 ++++-- ...ssa___setting_credentials_via_mimikatz_modules.test.yml | 6 ++++-- ...___setting_credentials_via_powersploit_modules.test.yml | 5 ++++- 19 files changed, 78 insertions(+), 27 deletions(-) diff --git a/tests/endpoint/ssa___probing_access_with_stolen_credentials_via_powersploit_modules.test.yml b/tests/endpoint/ssa___probing_access_with_stolen_credentials_via_powersploit_modules.test.yml index c277eee8aa..3955928d21 100644 --- a/tests/endpoint/ssa___probing_access_with_stolen_credentials_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___probing_access_with_stolen_credentials_via_powersploit_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test access probing with stolen credentials detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_access_and_persistence_opportunities_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_access_and_persistence_opportunities_via_powersploit_modules.test.yml index 38f15783a2..dfb1a3da81 100644 --- a/tests/endpoint/ssa___recon_access_and_persistence_opportunities_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_access_and_persistence_opportunities_via_powersploit_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test reconnaissance of access and persistence detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_accounts_groups_policies_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_accounts_groups_policies_via_powersploit_modules.test.yml index 90138c0ac1..d8f81c1746 100644 --- a/tests/endpoint/ssa___recon_and_use_accounts_groups_policies_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_accounts_groups_policies_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance and access to accounts groups and policies detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml index 41a9efbf39..fc1dc1d2cb 100644 --- a/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml @@ -5,6 +5,9 @@ tests: pass_condition: '@count_gt(0)' description: Test reconnaissance and access to accounts and groups detections attack_data: - - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log + - file_name: logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_active_directory_infrastructure_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_active_directory_infrastructure_via_powersploit_modules.test.yml index 41b1ebfb63..cf57966a14 100644 --- a/tests/endpoint/ssa___recon_and_use_active_directory_infrastructure_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_active_directory_infrastructure_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance and access to active directory infrastrucutre detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_computers_domains_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_computers_domains_via_powersploit_modules.test.yml index 1a06e212e1..c53f3ca626 100644 --- a/tests/endpoint/ssa___recon_and_use_computers_domains_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_computers_domains_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance and access to computers and domains detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml index 2950a3d909..d63effab52 100644 --- a/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml @@ -5,6 +5,9 @@ tests: pass_condition: '@count_gt(0)' description: Test reconnaissance and access to computers detections attack_data: - - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log + - file_name: logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_operating_system_elements_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_operating_system_elements_via_powersploit_modules.test.yml index 47485bc4a7..fb862c95b9 100644 --- a/tests/endpoint/ssa___recon_and_use_operating_system_elements_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_operating_system_elements_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance and access to operating system element detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_shares_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_and_use_shares_via_mimikatz_modules.test.yml index 095b0be6ab..87d2005854 100644 --- a/tests/endpoint/ssa___recon_and_use_shares_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_shares_via_mimikatz_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test reconnaissance and access to network shares detections attack_data: - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml index 43734fc12b..0c656ef103 100644 --- a/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance and access to shares detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_connectivity_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_connectivity_via_powersploit_modules.test.yml index 7eeec3598d..568be310fe 100644 --- a/tests/endpoint/ssa___recon_connectivity_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_connectivity_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance of connectivity detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_credential_stores_and_services_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_credential_stores_and_services_via_mimikatz_modules.test.yml index e42bb65f5d..b17ae2dcb4 100644 --- a/tests/endpoint/ssa___recon_credential_stores_and_services_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_credential_stores_and_services_via_mimikatz_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test reconnaissance of credential stores and services detections attack_data: - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_defensive_tools_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_defensive_tools_via_powersploit_modules.test.yml index 00dc4fe4c5..4493b7b1a6 100644 --- a/tests/endpoint/ssa___recon_defensive_tools_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_defensive_tools_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance of presence of defensive tools detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.test.yml index a7028de183..caed7375c8 100644 --- a/tests/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance of privilege escalations opportunities detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_process_service_hijacking_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_process_service_hijacking_via_mimikatz_modules.test.yml index 24afc326fe..f547e8ac50 100644 --- a/tests/endpoint/ssa___recon_process_service_hijacking_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_process_service_hijacking_via_mimikatz_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance of process or service hijacking detections attack_data: - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_processes_and_services_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_processes_and_services_via_mimikatz_modules.test.yml index 70d836f6c1..06b0023a14 100644 --- a/tests/endpoint/ssa___recon_processes_and_services_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_processes_and_services_via_mimikatz_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test reconnaissance of processes and services detections attack_data: - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___setting_credentials_via_dsinternals_modules.test.yml b/tests/endpoint/ssa___setting_credentials_via_dsinternals_modules.test.yml index c152e45a64..808f7efc67 100644 --- a/tests/endpoint/ssa___setting_credentials_via_dsinternals_modules.test.yml +++ b/tests/endpoint/ssa___setting_credentials_via_dsinternals_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test illegal credential setting detections attack_data: - file_name: logAllDSInternalsModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllDSInternalsModules.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllDSInternalsModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___setting_credentials_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___setting_credentials_via_mimikatz_modules.test.yml index 3be6db0fa2..78d9cf9468 100644 --- a/tests/endpoint/ssa___setting_credentials_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___setting_credentials_via_mimikatz_modules.test.yml @@ -6,5 +6,7 @@ tests: description: Test illegal credential setting detections attack_data: - file_name: logAllMimikatzModules.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllMimikatzModules.log - + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___setting_credentials_via_powersploit_modules.test.yml b/tests/endpoint/ssa___setting_credentials_via_powersploit_modules.test.yml index b6f2fa8a38..f4507e99b0 100644 --- a/tests/endpoint/ssa___setting_credentials_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___setting_credentials_via_powersploit_modules.test.yml @@ -6,5 +6,8 @@ tests: description: Test illegal credential setting detections attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True From b396890b0b985a1bf0396f5e4d5ef20586008357 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 23 Mar 2021 13:50:45 +0100 Subject: [PATCH 12/25] testing ssa detections --- .../k8s-deployer/k8s/components/smoketest.jsonnet | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/ssa-end-to-end-testing/k8s-deployer/k8s/components/smoketest.jsonnet b/bin/ssa-end-to-end-testing/k8s-deployer/k8s/components/smoketest.jsonnet index 38185080a2..6045a8f001 100644 --- a/bin/ssa-end-to-end-testing/k8s-deployer/k8s/components/smoketest.jsonnet +++ b/bin/ssa-end-to-end-testing/k8s-deployer/k8s/components/smoketest.jsonnet @@ -13,7 +13,7 @@ local job = { }, }, spec: { - activeDeadlineSeconds: 1800, + activeDeadlineSeconds: 7200, ttlSecondsAfterFinished: 100, template: { metadata: { From 617ec011d618cb081e47a12cdcb5c0589bdc8a5d Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 23 Mar 2021 14:52:10 +0100 Subject: [PATCH 13/25] ssa detection testing --- .../ssa___detect_dump_lsass_memory_using_comsvcs.test.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/endpoint/ssa___detect_dump_lsass_memory_using_comsvcs.test.yml b/tests/endpoint/ssa___detect_dump_lsass_memory_using_comsvcs.test.yml index e80826db41..35d3148446 100644 --- a/tests/endpoint/ssa___detect_dump_lsass_memory_using_comsvcs.test.yml +++ b/tests/endpoint/ssa___detect_dump_lsass_memory_using_comsvcs.test.yml @@ -5,5 +5,8 @@ tests: pass_condition: '@count_gt(0)' description: Test credential dumping detections attack_data: - - file_name: windows-security-events_ssa.log - data: https://attack-range-attack-data.s3-us-west-2.amazonaws.com/T1003.001/windows-security-events_ssa.log + - file_name: windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True \ No newline at end of file From 19d96dac72bc720a410c1b63ea83439b2ad3de83 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 23 Mar 2021 15:03:18 +0100 Subject: [PATCH 14/25] ssa detection testing --- bin/ssa-end-to-end-testing/modules/test_ssa_detections.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/ssa-end-to-end-testing/modules/test_ssa_detections.py b/bin/ssa-end-to-end-testing/modules/test_ssa_detections.py index d9c323c189..36c5c642e2 100644 --- a/bin/ssa-end-to-end-testing/modules/test_ssa_detections.py +++ b/bin/ssa-end-to-end-testing/modules/test_ssa_detections.py @@ -16,7 +16,7 @@ SLEEP_TIME_ACTIVATE_PIPELINE = 10 SLEEP_TIME_SEND_DATA = 30 WAIT_CYCLE = 20 -MAX_EXECUTION_TIME_LIMIT = 600 # per detection test +MAX_EXECUTION_TIME_LIMIT = 400 # per detection test TEST_DATASET = 'windows-security_small.txt' From 08857c50c84eb2b4ae38e184f10149e2e5708dcd Mon Sep 17 00:00:00 2001 From: Stanislav Miskovic Date: Thu, 25 Mar 2021 14:26:23 -0700 Subject: [PATCH 15/25] Misko: Fixed tests with correct datasets and dataset locations --- ...ce_and_process_control_via_powersploit_modules.test.yml | 7 +++++-- ...n_and_use_accounts_groups_via_mimikatz_modules.test.yml | 4 ++-- ...__recon_and_use_computers_via_mimikatz_modules.test.yml | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml index 8e18aaad1f..ff1d44cf5f 100644 --- a/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml @@ -5,6 +5,9 @@ tests: pass_condition: '@count_gt(0)' description: Test illegal service and process control detections attack_data: - - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log + - file_name: logAllPowerSploitModulesWithOldNames.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + source: WinEventLog:Security + sourcetype: xmlwineventlog + update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml index fc1dc1d2cb..cf62865d1c 100644 --- a/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml @@ -5,8 +5,8 @@ tests: pass_condition: '@count_gt(0)' description: Test reconnaissance and access to accounts and groups detections attack_data: - - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + - file_name: logAllMimikatzModules.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security sourcetype: xmlwineventlog update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml index d63effab52..5af2151331 100644 --- a/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml @@ -5,8 +5,8 @@ tests: pass_condition: '@count_gt(0)' description: Test reconnaissance and access to computers detections attack_data: - - file_name: logAllPowerSploitModulesWithOldNames.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log + - file_name: logAllMimikatzModules.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security sourcetype: xmlwineventlog update_timestamp: True From 0ae9f1496dc311fbeb4213b8de32c6c8e78dbe12 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 08:51:39 +0100 Subject: [PATCH 16/25] updated test files --- ...service_and_process_control_via_powersploit_modules.test.yml | 2 -- ...ess_with_stolen_credentials_via_powersploit_modules.test.yml | 2 -- ...d_persistence_opportunities_via_powersploit_modules.test.yml | 2 -- ...se_accounts_groups_policies_via_powersploit_modules.test.yml | 2 -- ..._recon_and_use_accounts_groups_via_mimikatz_modules.test.yml | 2 -- ...ve_directory_infrastructure_via_powersploit_modules.test.yml | 2 -- ...n_and_use_computers_domains_via_powersploit_modules.test.yml | 2 -- .../ssa___recon_and_use_computers_via_mimikatz_modules.test.yml | 2 -- ...e_operating_system_elements_via_powersploit_modules.test.yml | 2 -- .../ssa___recon_and_use_shares_via_mimikatz_modules.test.yml | 2 -- .../ssa___recon_and_use_shares_via_powersploit_modules.test.yml | 2 -- .../ssa___recon_connectivity_via_powersploit_modules.test.yml | 2 -- ...credential_stores_and_services_via_mimikatz_modules.test.yml | 2 -- ...ssa___recon_defensive_tools_via_powersploit_modules.test.yml | 2 -- ...ge_escalation_opportunities_via_powersploit_modules.test.yml | 2 -- ...econ_process_service_hijacking_via_mimikatz_modules.test.yml | 2 -- ...__recon_processes_and_services_via_mimikatz_modules.test.yml | 2 -- .../ssa___setting_credentials_via_dsinternals_modules.test.yml | 2 -- .../ssa___setting_credentials_via_mimikatz_modules.test.yml | 2 -- .../ssa___setting_credentials_via_powersploit_modules.test.yml | 2 -- 20 files changed, 40 deletions(-) diff --git a/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml index ff1d44cf5f..b649e8d336 100644 --- a/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_service_and_process_control_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___probing_access_with_stolen_credentials_via_powersploit_modules.test.yml b/tests/endpoint/ssa___probing_access_with_stolen_credentials_via_powersploit_modules.test.yml index 3955928d21..294a265703 100644 --- a/tests/endpoint/ssa___probing_access_with_stolen_credentials_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___probing_access_with_stolen_credentials_via_powersploit_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_access_and_persistence_opportunities_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_access_and_persistence_opportunities_via_powersploit_modules.test.yml index dfb1a3da81..a8295db554 100644 --- a/tests/endpoint/ssa___recon_access_and_persistence_opportunities_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_access_and_persistence_opportunities_via_powersploit_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_accounts_groups_policies_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_accounts_groups_policies_via_powersploit_modules.test.yml index d8f81c1746..329486d2cf 100644 --- a/tests/endpoint/ssa___recon_and_use_accounts_groups_policies_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_accounts_groups_policies_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml index cf62865d1c..6f1a1133c3 100644 --- a/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_accounts_groups_via_mimikatz_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_active_directory_infrastructure_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_active_directory_infrastructure_via_powersploit_modules.test.yml index cf57966a14..0831092dd2 100644 --- a/tests/endpoint/ssa___recon_and_use_active_directory_infrastructure_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_active_directory_infrastructure_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_computers_domains_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_computers_domains_via_powersploit_modules.test.yml index c53f3ca626..9770d934b9 100644 --- a/tests/endpoint/ssa___recon_and_use_computers_domains_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_computers_domains_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml index 5af2151331..47067e795d 100644 --- a/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_computers_via_mimikatz_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_operating_system_elements_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_operating_system_elements_via_powersploit_modules.test.yml index fb862c95b9..083df9573a 100644 --- a/tests/endpoint/ssa___recon_and_use_operating_system_elements_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_operating_system_elements_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_shares_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_and_use_shares_via_mimikatz_modules.test.yml index 87d2005854..56a93c9975 100644 --- a/tests/endpoint/ssa___recon_and_use_shares_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_shares_via_mimikatz_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml index 0c656ef103..b5ab478e2b 100644 --- a/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_connectivity_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_connectivity_via_powersploit_modules.test.yml index 568be310fe..5f49c6706b 100644 --- a/tests/endpoint/ssa___recon_connectivity_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_connectivity_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_credential_stores_and_services_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_credential_stores_and_services_via_mimikatz_modules.test.yml index b17ae2dcb4..b611e5a39b 100644 --- a/tests/endpoint/ssa___recon_credential_stores_and_services_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_credential_stores_and_services_via_mimikatz_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_defensive_tools_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_defensive_tools_via_powersploit_modules.test.yml index 4493b7b1a6..c715c3b2cb 100644 --- a/tests/endpoint/ssa___recon_defensive_tools_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_defensive_tools_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.test.yml index caed7375c8..d42ca19ca9 100644 --- a/tests/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_process_service_hijacking_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_process_service_hijacking_via_mimikatz_modules.test.yml index f547e8ac50..3100086761 100644 --- a/tests/endpoint/ssa___recon_process_service_hijacking_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_process_service_hijacking_via_mimikatz_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___recon_processes_and_services_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___recon_processes_and_services_via_mimikatz_modules.test.yml index 06b0023a14..532bc3f60b 100644 --- a/tests/endpoint/ssa___recon_processes_and_services_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___recon_processes_and_services_via_mimikatz_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___setting_credentials_via_dsinternals_modules.test.yml b/tests/endpoint/ssa___setting_credentials_via_dsinternals_modules.test.yml index 808f7efc67..2f1b684c11 100644 --- a/tests/endpoint/ssa___setting_credentials_via_dsinternals_modules.test.yml +++ b/tests/endpoint/ssa___setting_credentials_via_dsinternals_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllDSInternalsModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllDSInternalsModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___setting_credentials_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___setting_credentials_via_mimikatz_modules.test.yml index 78d9cf9468..185457e21a 100644 --- a/tests/endpoint/ssa___setting_credentials_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___setting_credentials_via_mimikatz_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___setting_credentials_via_powersploit_modules.test.yml b/tests/endpoint/ssa___setting_credentials_via_powersploit_modules.test.yml index f4507e99b0..cf50843bf1 100644 --- a/tests/endpoint/ssa___setting_credentials_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___setting_credentials_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True From e2209cb74194c7f601e561d2f803f8617e831686 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 10:21:19 +0100 Subject: [PATCH 17/25] updated test files --- .../ssa___recon_and_use_shares_via_powersploit_modules.test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml b/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml index b5ab478e2b..9a6587ebde 100644 --- a/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___recon_and_use_shares_via_powersploit_modules.test.yml @@ -8,4 +8,3 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - From f4c08262b942f0182042693572bb930dfc636382 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 10:26:08 +0100 Subject: [PATCH 18/25] updated test files --- bin/ssa-end-to-end-testing/modules/test_ssa_detections.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/ssa-end-to-end-testing/modules/test_ssa_detections.py b/bin/ssa-end-to-end-testing/modules/test_ssa_detections.py index 36c5c642e2..d9c323c189 100644 --- a/bin/ssa-end-to-end-testing/modules/test_ssa_detections.py +++ b/bin/ssa-end-to-end-testing/modules/test_ssa_detections.py @@ -16,7 +16,7 @@ SLEEP_TIME_ACTIVATE_PIPELINE = 10 SLEEP_TIME_SEND_DATA = 30 WAIT_CYCLE = 20 -MAX_EXECUTION_TIME_LIMIT = 400 # per detection test +MAX_EXECUTION_TIME_LIMIT = 600 # per detection test TEST_DATASET = 'windows-security_small.txt' From da86a0b7cf088e157cbd4b1509ff1d83009119db Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 12:04:51 +0100 Subject: [PATCH 19/25] updated test files --- ...rivilege_escalation_opportunities_via_powersploit_modules.yml | 1 + ...ge_elevation_and_persistence_via_powersploit_modules.test.yml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.yml b/detections/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.yml index 7d0c01fb62..b77d9fdae6 100644 --- a/detections/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.yml +++ b/detections/endpoint/ssa___recon_privilege_escalation_opportunities_via_powersploit_modules.yml @@ -46,3 +46,4 @@ tags: - dest_user_id risk_severity: high security_domain: endpoint + diff --git a/tests/endpoint/ssa___illegal_privilege_elevation_and_persistence_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_privilege_elevation_and_persistence_via_powersploit_modules.test.yml index a308e881c6..37365127db 100644 --- a/tests/endpoint/ssa___illegal_privilege_elevation_and_persistence_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_privilege_elevation_and_persistence_via_powersploit_modules.test.yml @@ -7,4 +7,3 @@ tests: attack_data: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://ssa-test-dataset.s3-us-west-2.amazonaws.com/logAllPowerSploitModulesWithOldNames.log - From 3707bedfc58d5367753771efa25e01d9cc763909 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 13:09:54 +0100 Subject: [PATCH 20/25] updated test files --- bin/ssa-end-to-end-testing/modules/github_service.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/bin/ssa-end-to-end-testing/modules/github_service.py b/bin/ssa-end-to-end-testing/modules/github_service.py index 09e13de335..bfc5cc2f03 100644 --- a/bin/ssa-end-to-end-testing/modules/github_service.py +++ b/bin/ssa-end-to-end-testing/modules/github_service.py @@ -44,8 +44,6 @@ def get_changed_test_files_ssa(self): if os.path.basename(file_path).startswith('ssa'): file_path_base = os.path.splitext(file_path)[0].replace('detections', 'tests') + '.test' file_path_new = file_path_base + '.yml' - if not os.path.exists(file_path_new): - file_path_new = file_path_base + '.yaml' if file_path_new not in changed_ssa_test_files: changed_ssa_test_files.append(file_path_new) From 2e5f9053c09d1faec9744ef913c28c490795c825 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 13:57:06 +0100 Subject: [PATCH 21/25] WIP --- .../modules/github_service.py | 12 +++-- .../run_ssa_smoketest.py | 54 +++++++++---------- bin/ssa-end-to-end-testing/security_content | 1 + 3 files changed, 36 insertions(+), 31 deletions(-) create mode 160000 bin/ssa-end-to-end-testing/security_content diff --git a/bin/ssa-end-to-end-testing/modules/github_service.py b/bin/ssa-end-to-end-testing/modules/github_service.py index 09e13de335..38b27aeede 100644 --- a/bin/ssa-end-to-end-testing/modules/github_service.py +++ b/bin/ssa-end-to-end-testing/modules/github_service.py @@ -2,6 +2,7 @@ import git import os import logging +import glob # Logger @@ -27,8 +28,12 @@ def get_changed_test_files_ssa(self): branch1 = self.security_content_branch branch2 = 'develop' g = git.Git('security_content') - differ = g.diff('--name-only', branch1, branch2) - changed_files = differ.splitlines() + if branch1 != 'develop': + differ = g.diff('--name-only', branch1, branch2) + changed_files = differ.splitlines() + else: + # If branch is develop (nightly run), then we will run all possible tests + changed_files = sorted(glob.glob('security_content/tests/')) changed_ssa_test_files = [] @@ -44,11 +49,10 @@ def get_changed_test_files_ssa(self): if os.path.basename(file_path).startswith('ssa'): file_path_base = os.path.splitext(file_path)[0].replace('detections', 'tests') + '.test' file_path_new = file_path_base + '.yml' - if not os.path.exists(file_path_new): - file_path_new = file_path_base + '.yaml' if file_path_new not in changed_ssa_test_files: changed_ssa_test_files.append(file_path_new) return changed_ssa_test_files + diff --git a/bin/ssa-end-to-end-testing/run_ssa_smoketest.py b/bin/ssa-end-to-end-testing/run_ssa_smoketest.py index 6e69820fba..8262466caa 100644 --- a/bin/ssa-end-to-end-testing/run_ssa_smoketest.py +++ b/bin/ssa-end-to-end-testing/run_ssa_smoketest.py @@ -42,33 +42,33 @@ def main(args): LOGGER.info('Nothing to test for SSA smoke test.') sys.exit(0) - # test DSP and SSA pipeline - ssa_detection_testing = SSADetectionTesting(env, tenant, token) - test_result_passed = ssa_detection_testing.test_dsp_pipeline() - - if not test_result_passed: - sys.exit(1) - - # # test SSA detections - test_results = [] - test_passed = True - for test_file in test_files_ssa: - test_obj, attack_data_folder = prepare_test(test_file) - test_result = ssa_detection_testing.test_ssa_detections(test_obj) - test_results.append(test_result.copy()) - remove_attack_data(attack_data_folder) - - LOGGER.info('-----------------------------------') - LOGGER.info('------- test SSA detections -------') - LOGGER.info('-----------------------------------') - for test_result in test_results: - test_passed = test_passed and test_result['result'] - LOGGER.info(test_result['msg']) - LOGGER.info('-----------------------------------') - - remove_security_content() - exit_code = not test_passed - sys.exit(exit_code) + # # test DSP and SSA pipeline + # ssa_detection_testing = SSADetectionTesting(env, tenant, token) + # test_result_passed = ssa_detection_testing.test_dsp_pipeline() + + # if not test_result_passed: + # sys.exit(1) + + # # # test SSA detections + # test_results = [] + # test_passed = True + # for test_file in test_files_ssa: + # test_obj, attack_data_folder = prepare_test(test_file) + # test_result = ssa_detection_testing.test_ssa_detections(test_obj) + # test_results.append(test_result.copy()) + # remove_attack_data(attack_data_folder) + + # LOGGER.info('-----------------------------------') + # LOGGER.info('------- test SSA detections -------') + # LOGGER.info('-----------------------------------') + # for test_result in test_results: + # test_passed = test_passed and test_result['result'] + # LOGGER.info(test_result['msg']) + # LOGGER.info('-----------------------------------') + + # remove_security_content() + # exit_code = not test_passed + # sys.exit(exit_code) diff --git a/bin/ssa-end-to-end-testing/security_content b/bin/ssa-end-to-end-testing/security_content new file mode 160000 index 0000000000..d85ba4ade5 --- /dev/null +++ b/bin/ssa-end-to-end-testing/security_content @@ -0,0 +1 @@ +Subproject commit d85ba4ade5ea67c34e45d851dfec2b5b7190b7fc From e8655b6e54073e8c35f436ac09eae377649c1554 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 13:57:22 +0100 Subject: [PATCH 22/25] WIP --- bin/ssa-end-to-end-testing/security_content | 1 - 1 file changed, 1 deletion(-) delete mode 160000 bin/ssa-end-to-end-testing/security_content diff --git a/bin/ssa-end-to-end-testing/security_content b/bin/ssa-end-to-end-testing/security_content deleted file mode 160000 index d85ba4ade5..0000000000 --- a/bin/ssa-end-to-end-testing/security_content +++ /dev/null @@ -1 +0,0 @@ -Subproject commit d85ba4ade5ea67c34e45d851dfec2b5b7190b7fc From b8e2dcea1338b66fb49621c229a2ffeaf45c379e Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 16:22:33 +0100 Subject: [PATCH 23/25] changed github service --- .../modules/github_service.py | 40 ++++++++------ .../run_ssa_smoketest.py | 54 +++++++++---------- bin/ssa-end-to-end-testing/security_content | 1 + 3 files changed, 51 insertions(+), 44 deletions(-) create mode 160000 bin/ssa-end-to-end-testing/security_content diff --git a/bin/ssa-end-to-end-testing/modules/github_service.py b/bin/ssa-end-to-end-testing/modules/github_service.py index 38b27aeede..0275bd952b 100644 --- a/bin/ssa-end-to-end-testing/modules/github_service.py +++ b/bin/ssa-end-to-end-testing/modules/github_service.py @@ -28,29 +28,35 @@ def get_changed_test_files_ssa(self): branch1 = self.security_content_branch branch2 = 'develop' g = git.Git('security_content') + changed_ssa_test_files = [] + if branch1 != 'develop': differ = g.diff('--name-only', branch1, branch2) changed_files = differ.splitlines() - else: - # If branch is develop (nightly run), then we will run all possible tests - changed_files = sorted(glob.glob('security_content/tests/')) - changed_ssa_test_files = [] - - for file_path in changed_files: - # added or changed test files - if file_path.startswith('tests'): - if os.path.basename(file_path).startswith('ssa'): - if file_path not in changed_ssa_test_files: - changed_ssa_test_files.append(file_path) + for file_path in changed_files: + # added or changed test files + if file_path.startswith('tests'): + if os.path.basename(file_path).startswith('ssa'): + if file_path not in changed_ssa_test_files: + changed_ssa_test_files.append(file_path) + + # changed detections + if file_path.startswith('detections'): + if os.path.basename(file_path).startswith('ssa'): + file_path_base = os.path.splitext(file_path)[0].replace('detections', 'tests') + '.test' + file_path_new = file_path_base + '.yml' + if file_path_new not in changed_ssa_test_files: + changed_ssa_test_files.append(file_path_new) + + # all SSA test files for nightly build + else: + changed_files = sorted(glob.glob('security_content/tests/*/*.yml')) - # changed detections - if file_path.startswith('detections'): + for file_path in changed_files: + file_path = file_path.replace('security_content/','') if os.path.basename(file_path).startswith('ssa'): - file_path_base = os.path.splitext(file_path)[0].replace('detections', 'tests') + '.test' - file_path_new = file_path_base + '.yml' - if file_path_new not in changed_ssa_test_files: - changed_ssa_test_files.append(file_path_new) + changed_ssa_test_files.append(file_path) return changed_ssa_test_files diff --git a/bin/ssa-end-to-end-testing/run_ssa_smoketest.py b/bin/ssa-end-to-end-testing/run_ssa_smoketest.py index 8262466caa..6e69820fba 100644 --- a/bin/ssa-end-to-end-testing/run_ssa_smoketest.py +++ b/bin/ssa-end-to-end-testing/run_ssa_smoketest.py @@ -42,33 +42,33 @@ def main(args): LOGGER.info('Nothing to test for SSA smoke test.') sys.exit(0) - # # test DSP and SSA pipeline - # ssa_detection_testing = SSADetectionTesting(env, tenant, token) - # test_result_passed = ssa_detection_testing.test_dsp_pipeline() - - # if not test_result_passed: - # sys.exit(1) - - # # # test SSA detections - # test_results = [] - # test_passed = True - # for test_file in test_files_ssa: - # test_obj, attack_data_folder = prepare_test(test_file) - # test_result = ssa_detection_testing.test_ssa_detections(test_obj) - # test_results.append(test_result.copy()) - # remove_attack_data(attack_data_folder) - - # LOGGER.info('-----------------------------------') - # LOGGER.info('------- test SSA detections -------') - # LOGGER.info('-----------------------------------') - # for test_result in test_results: - # test_passed = test_passed and test_result['result'] - # LOGGER.info(test_result['msg']) - # LOGGER.info('-----------------------------------') - - # remove_security_content() - # exit_code = not test_passed - # sys.exit(exit_code) + # test DSP and SSA pipeline + ssa_detection_testing = SSADetectionTesting(env, tenant, token) + test_result_passed = ssa_detection_testing.test_dsp_pipeline() + + if not test_result_passed: + sys.exit(1) + + # # test SSA detections + test_results = [] + test_passed = True + for test_file in test_files_ssa: + test_obj, attack_data_folder = prepare_test(test_file) + test_result = ssa_detection_testing.test_ssa_detections(test_obj) + test_results.append(test_result.copy()) + remove_attack_data(attack_data_folder) + + LOGGER.info('-----------------------------------') + LOGGER.info('------- test SSA detections -------') + LOGGER.info('-----------------------------------') + for test_result in test_results: + test_passed = test_passed and test_result['result'] + LOGGER.info(test_result['msg']) + LOGGER.info('-----------------------------------') + + remove_security_content() + exit_code = not test_passed + sys.exit(exit_code) diff --git a/bin/ssa-end-to-end-testing/security_content b/bin/ssa-end-to-end-testing/security_content new file mode 160000 index 0000000000..d85ba4ade5 --- /dev/null +++ b/bin/ssa-end-to-end-testing/security_content @@ -0,0 +1 @@ +Subproject commit d85ba4ade5ea67c34e45d851dfec2b5b7190b7fc From d38c53df07c99450e6433eeee4f4245faa6c53f0 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 16:29:58 +0100 Subject: [PATCH 24/25] updated test file --- ..._applying_stolen_credentials_via_mimikatz_modules.test.yml | 2 -- ...plying_stolen_credentials_via_powersploit_modules.test.yml | 2 -- ...ssess_credential_strength_via_dsinternals_modules.test.yml | 2 -- ...tempted_credential_dump_from_registry_via_reg_exe.test.yml | 2 -- ...dential_extraction_dsinternals_conversion_modules.test.yml | 2 -- .../ssa___credential_extraction_dsinternals_modules.test.yml | 2 -- ...__credential_extraction_fgdump_cachedump_s_option.test.yml | 2 -- ...__credential_extraction_fgdump_cachedump_v_option.test.yml | 4 +--- ...___credential_extraction_getaddbaccount_from_dump.test.yml | 2 -- ...a___credential_extraction_lazagne_command_options.test.yml | 2 -- .../ssa___credential_extraction_mimikatz_modules.test.yml | 2 -- ...___credential_extraction_ms_debuggers_kernel_peek.test.yml | 2 -- ...ssa___credential_extraction_ms_debuggers_z_option.test.yml | 2 -- .../ssa___credential_extraction_powersploit_modules.test.yml | 2 -- .../ssa___detect_dump_lsass_memory_using_comsvcs.test.yml | 4 +--- ...legal_access_user_content_via_powersploit_modules.test.yml | 2 -- ..._illegal_account_creation_via_powersploit_modules.test.yml | 2 -- ...al_account_enable_disable_via_dsinternals_modules.test.yml | 4 +--- .../ssa___illegal_log_deletion_via_mimikatz_modules.test.yml | 2 -- ..._AD_elements_and_policies_via_dsinternals_modules.test.yml | 4 +--- ...computers_and_AD_elements_via_powersploit_modules.test.yml | 2 -- ..._illegal_privilege_elevation_via_mimikatz_modules.test.yml | 2 -- ..._service_and_process_control_via_mimikatz_modules.test.yml | 2 -- 23 files changed, 4 insertions(+), 50 deletions(-) diff --git a/tests/endpoint/ssa___applying_stolen_credentials_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___applying_stolen_credentials_via_mimikatz_modules.test.yml index d74531149e..cf7d52e9f5 100644 --- a/tests/endpoint/ssa___applying_stolen_credentials_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___applying_stolen_credentials_via_mimikatz_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___applying_stolen_credentials_via_powersploit_modules.test.yml b/tests/endpoint/ssa___applying_stolen_credentials_via_powersploit_modules.test.yml index 95e039ff68..610154adeb 100644 --- a/tests/endpoint/ssa___applying_stolen_credentials_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___applying_stolen_credentials_via_powersploit_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/applying_stolen_credentials/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___assess_credential_strength_via_dsinternals_modules.test.yml b/tests/endpoint/ssa___assess_credential_strength_via_dsinternals_modules.test.yml index 3ff7a8521c..9f0798b4af 100644 --- a/tests/endpoint/ssa___assess_credential_strength_via_dsinternals_modules.test.yml +++ b/tests/endpoint/ssa___assess_credential_strength_via_dsinternals_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllDSInternalsModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllDSInternalsModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___attempted_credential_dump_from_registry_via_reg_exe.test.yml b/tests/endpoint/ssa___attempted_credential_dump_from_registry_via_reg_exe.test.yml index d4a8c0ee83..daf250b187 100644 --- a/tests/endpoint/ssa___attempted_credential_dump_from_registry_via_reg_exe.test.yml +++ b/tests/endpoint/ssa___attempted_credential_dump_from_registry_via_reg_exe.test.yml @@ -8,6 +8,4 @@ tests: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_dsinternals_conversion_modules.test.yml b/tests/endpoint/ssa___credential_extraction_dsinternals_conversion_modules.test.yml index 57059b1dc3..c86fd18516 100644 --- a/tests/endpoint/ssa___credential_extraction_dsinternals_conversion_modules.test.yml +++ b/tests/endpoint/ssa___credential_extraction_dsinternals_conversion_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllDSInternalsModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllDSInternalsModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_dsinternals_modules.test.yml b/tests/endpoint/ssa___credential_extraction_dsinternals_modules.test.yml index 94c95be73d..24d3b24915 100644 --- a/tests/endpoint/ssa___credential_extraction_dsinternals_modules.test.yml +++ b/tests/endpoint/ssa___credential_extraction_dsinternals_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllDSInternalsModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllDSInternalsModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_s_option.test.yml b/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_s_option.test.yml index 51552951ef..539bf7b484 100644 --- a/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_s_option.test.yml +++ b/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_s_option.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logFgdump.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logFgdump.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_v_option.test.yml b/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_v_option.test.yml index f572408a4d..38119dcef1 100644 --- a/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_v_option.test.yml +++ b/tests/endpoint/ssa___credential_extraction_fgdump_cachedump_v_option.test.yml @@ -7,6 +7,4 @@ tests: attack_data: - file_name: logFgdump.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logFgdump.log - source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True \ No newline at end of file + source: WinEventLog:Security \ No newline at end of file diff --git a/tests/endpoint/ssa___credential_extraction_getaddbaccount_from_dump.test.yml b/tests/endpoint/ssa___credential_extraction_getaddbaccount_from_dump.test.yml index 4e8e29d7cc..5a81cedcd8 100644 --- a/tests/endpoint/ssa___credential_extraction_getaddbaccount_from_dump.test.yml +++ b/tests/endpoint/ssa___credential_extraction_getaddbaccount_from_dump.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logPowerShellModule.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logPowerShellModule.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_lazagne_command_options.test.yml b/tests/endpoint/ssa___credential_extraction_lazagne_command_options.test.yml index 18ebe75967..ba5d8c8686 100644 --- a/tests/endpoint/ssa___credential_extraction_lazagne_command_options.test.yml +++ b/tests/endpoint/ssa___credential_extraction_lazagne_command_options.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logLazagneCredDump.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLazagneCredDump.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_mimikatz_modules.test.yml b/tests/endpoint/ssa___credential_extraction_mimikatz_modules.test.yml index 262e694420..c781b05eb3 100644 --- a/tests/endpoint/ssa___credential_extraction_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___credential_extraction_mimikatz_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_ms_debuggers_kernel_peek.test.yml b/tests/endpoint/ssa___credential_extraction_ms_debuggers_kernel_peek.test.yml index 5969a15fd8..6ad06a52bb 100644 --- a/tests/endpoint/ssa___credential_extraction_ms_debuggers_kernel_peek.test.yml +++ b/tests/endpoint/ssa___credential_extraction_ms_debuggers_kernel_peek.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logLiveKDFullKernelDump.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLiveKDFullKernelDump.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_ms_debuggers_z_option.test.yml b/tests/endpoint/ssa___credential_extraction_ms_debuggers_z_option.test.yml index a9d5d4b648..ca7da55118 100644 --- a/tests/endpoint/ssa___credential_extraction_ms_debuggers_z_option.test.yml +++ b/tests/endpoint/ssa___credential_extraction_ms_debuggers_z_option.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logLiveKDFullKernelDump.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLiveKDFullKernelDump.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___credential_extraction_powersploit_modules.test.yml b/tests/endpoint/ssa___credential_extraction_powersploit_modules.test.yml index c238c25b02..b3d2c7933e 100644 --- a/tests/endpoint/ssa___credential_extraction_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___credential_extraction_powersploit_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___detect_dump_lsass_memory_using_comsvcs.test.yml b/tests/endpoint/ssa___detect_dump_lsass_memory_using_comsvcs.test.yml index 35d3148446..523f32f702 100644 --- a/tests/endpoint/ssa___detect_dump_lsass_memory_using_comsvcs.test.yml +++ b/tests/endpoint/ssa___detect_dump_lsass_memory_using_comsvcs.test.yml @@ -7,6 +7,4 @@ tests: attack_data: - file_name: windows-security.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security.log - source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True \ No newline at end of file + source: WinEventLog:Security \ No newline at end of file diff --git a/tests/endpoint/ssa___illegal_access_user_content_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_access_user_content_via_powersploit_modules.test.yml index 2a3ed57b68..c8b8e52bc5 100644 --- a/tests/endpoint/ssa___illegal_access_user_content_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_access_user_content_via_powersploit_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/illegal_access_to_content/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_account_creation_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_account_creation_via_powersploit_modules.test.yml index 10423476c6..0bbf466508 100644 --- a/tests/endpoint/ssa___illegal_account_creation_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_account_creation_via_powersploit_modules.test.yml @@ -8,6 +8,4 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/illegal_access_to_content/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_account_enable_disable_via_dsinternals_modules.test.yml b/tests/endpoint/ssa___illegal_account_enable_disable_via_dsinternals_modules.test.yml index baeba55003..f2cf94f199 100644 --- a/tests/endpoint/ssa___illegal_account_enable_disable_via_dsinternals_modules.test.yml +++ b/tests/endpoint/ssa___illegal_account_enable_disable_via_dsinternals_modules.test.yml @@ -7,6 +7,4 @@ tests: attack_data: - file_name: logAllDSInternalsModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/logAllDSInternalsModules.log - source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True \ No newline at end of file + source: WinEventLog:Security \ No newline at end of file diff --git a/tests/endpoint/ssa___illegal_log_deletion_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___illegal_log_deletion_via_mimikatz_modules.test.yml index fc161aa338..29b0397ff2 100644 --- a/tests/endpoint/ssa___illegal_log_deletion_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___illegal_log_deletion_via_mimikatz_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/illegal_log_deletion/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_management_AD_elements_and_policies_via_dsinternals_modules.test.yml b/tests/endpoint/ssa___illegal_management_AD_elements_and_policies_via_dsinternals_modules.test.yml index 627f7de3d6..2b0471fe87 100644 --- a/tests/endpoint/ssa___illegal_management_AD_elements_and_policies_via_dsinternals_modules.test.yml +++ b/tests/endpoint/ssa___illegal_management_AD_elements_and_policies_via_dsinternals_modules.test.yml @@ -7,6 +7,4 @@ tests: attack_data: - file_name: logAllDSInternalsModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/logAllDSInternalsModules.log - source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True \ No newline at end of file + source: WinEventLog:Security \ No newline at end of file diff --git a/tests/endpoint/ssa___illegal_management_computers_and_AD_elements_via_powersploit_modules.test.yml b/tests/endpoint/ssa___illegal_management_computers_and_AD_elements_via_powersploit_modules.test.yml index cb73e27946..2ce4a24443 100644 --- a/tests/endpoint/ssa___illegal_management_computers_and_AD_elements_via_powersploit_modules.test.yml +++ b/tests/endpoint/ssa___illegal_management_computers_and_AD_elements_via_powersploit_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllPowerSploitModulesWithOldNames.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/logAllPowerSploitModulesWithOldNames.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_privilege_elevation_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___illegal_privilege_elevation_via_mimikatz_modules.test.yml index 8a5d80300b..3f1353c209 100644 --- a/tests/endpoint/ssa___illegal_privilege_elevation_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___illegal_privilege_elevation_via_mimikatz_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True diff --git a/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml b/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml index 1d6249f697..6d817ccd8e 100644 --- a/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml +++ b/tests/endpoint/ssa___illegal_service_and_process_control_via_mimikatz_modules.test.yml @@ -8,5 +8,3 @@ tests: - file_name: logAllMimikatzModules.log data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log source: WinEventLog:Security - sourcetype: xmlwineventlog - update_timestamp: True From 5b28b731c51fdca74dd5fa622bf69e1ce611201b Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 26 Mar 2021 16:31:57 +0100 Subject: [PATCH 25/25] add nightly test --- bin/ssa-end-to-end-testing/security_content | 1 - 1 file changed, 1 deletion(-) delete mode 160000 bin/ssa-end-to-end-testing/security_content diff --git a/bin/ssa-end-to-end-testing/security_content b/bin/ssa-end-to-end-testing/security_content deleted file mode 160000 index d85ba4ade5..0000000000 --- a/bin/ssa-end-to-end-testing/security_content +++ /dev/null @@ -1 +0,0 @@ -Subproject commit d85ba4ade5ea67c34e45d851dfec2b5b7190b7fc