From 612c290a57d4a121259ff70598f6be39b7026732 Mon Sep 17 00:00:00 2001
From: dluxtron <106139814+dluxtron@users.noreply.github.com>
Date: Tue, 7 Jan 2025 15:38:50 +1000
Subject: [PATCH] adding azurehound and spn privesc datasets

---
 .../T1087.004/azurehound/azurehound.log             |  3 +++
 .../T1087.004/azurehound/azurehound.yml             | 11 +++++++++++
 .../azure_ad_spn_privesc/azure_ad_spn_privesc.log   |  3 +++
 .../azure_ad_spn_privesc/azure_ad_spn_privesc.yml   | 13 +++++++++++++
 .../T1098.003/o365_spn_privesc/o365_spn_privesc.log |  3 +++
 .../T1098.003/o365_spn_privesc/o365_spn_privesc.yml | 13 +++++++++++++
 6 files changed, 46 insertions(+)
 create mode 100644 datasets/attack_techniques/T1087.004/azurehound/azurehound.log
 create mode 100644 datasets/attack_techniques/T1087.004/azurehound/azurehound.yml
 create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log
 create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml
 create mode 100644 datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log
 create mode 100644 datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml

diff --git a/datasets/attack_techniques/T1087.004/azurehound/azurehound.log b/datasets/attack_techniques/T1087.004/azurehound/azurehound.log
new file mode 100644
index 00000000..9d841578
--- /dev/null
+++ b/datasets/attack_techniques/T1087.004/azurehound/azurehound.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cc58d8a45683f320416be78da095d3328df18d6285b1698ad055b293031c38c6
+size 22074
diff --git a/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml b/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml
new file mode 100644
index 00000000..f09a2c08
--- /dev/null
+++ b/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml
@@ -0,0 +1,11 @@
+author: Dean Luxton
+id: 14a1f8ea-e34a-449d-9081-0f16341e83c9
+date: '2025-01-07'
+description: Detonating AzureHound against Frothly
+environment: Frothly Azure
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log
+sourcetypes:
+- azure:monitor:aad
+references:
+- https://github.com/SpecterOps/AzureHound
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log
new file mode 100644
index 00000000..65bdab7f
--- /dev/null
+++ b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1f7f30795dfc68a8bf307a438d12f58f01f2e640847916d9f7cbcf22e7bf0cfe
+size 3304
diff --git a/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml
new file mode 100644
index 00000000..b2cb9022
--- /dev/null
+++ b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml
@@ -0,0 +1,13 @@
+author: Dean Luxton
+id: db4f6922-ab94-4c29-aa66-ccbfcf86ce7b
+date: '2025-01-07'
+description: Performing SPN Priviliege escalation. 
+environment: Frothly Azure
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log
+sourcetypes:
+- azure:monitor:aad
+references:
+- https://github.com/mvelazc0/BadZure
+- https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html
+- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc
diff --git a/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log b/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log
new file mode 100644
index 00000000..88b30238
--- /dev/null
+++ b/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5fd853a800b09b75856ea305dbeb1db5516cce45a3dde9352a85548375322255
+size 3675
diff --git a/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml b/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml
new file mode 100644
index 00000000..a0b687a7
--- /dev/null
+++ b/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml
@@ -0,0 +1,13 @@
+author: Dean Luxton
+id: db4f6922-ab94-4c29-aa66-ccbfcf86ce7b
+date: '2025-01-07'
+description: Performing SPN Priviliege escalation. 
+environment: Frothly Azure
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log
+sourcetypes:
+- azure:monitor:aad
+references:
+- https://github.com/mvelazc0/BadZure
+- https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html
+- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc
\ No newline at end of file