From 8aa030deb8e700a288f5ed5803216f2689a49bd5 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 6 Jan 2025 13:50:48 -0500 Subject: [PATCH 1/2] initial upload --- .../azure_mfasweep_events.log | 3 +++ .../azure_mfasweep_events.yml | 14 ++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log create mode 100644 datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml diff --git a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log new file mode 100644 index 00000000..abab89a3 --- /dev/null +++ b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ac689b65ab72fc6bad434ebebba4f42c2c2a846c915225829d2914010f9d9ad0 +size 12480 diff --git a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml new file mode 100644 index 00000000..7f9ea024 --- /dev/null +++ b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml @@ -0,0 +1,14 @@ +author: Steven Dick +id: 35cffd75-1e1c-4837-a886-94c4ebf79f62 +date: '2024-12-19' +description: 'Sample of MFA Sweep events used to enumerate Azure/Entra/o365 MFA weaknesses.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log +sourcetypes: +- o365:management:activity +references: +- https://attack.mitre.org/techniques/T1110 +- https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ +- https://sra.io/blog/msspray-wait-how-many-endpoints-dont-have-mfa/ +- https://github.com/dafthack/MFASweep/tree/master \ No newline at end of file From 2109cb0fbaf940af6865301112f5e1d2855f2aba Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 6 Jan 2025 13:53:07 -0500 Subject: [PATCH 2/2] Update azure_mfasweep_events.yml --- .../T1110/azure_mfasweep_events/azure_mfasweep_events.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml index 7f9ea024..bbeddc30 100644 --- a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml +++ b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml @@ -1,5 +1,5 @@ author: Steven Dick -id: 35cffd75-1e1c-4837-a886-94c4ebf79f62 +id: 27ba7e07-280e-4890-9b31-f2060d86f4c6 date: '2024-12-19' description: 'Sample of MFA Sweep events used to enumerate Azure/Entra/o365 MFA weaknesses.' environment: attack_range @@ -11,4 +11,4 @@ references: - https://attack.mitre.org/techniques/T1110 - https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ - https://sra.io/blog/msspray-wait-how-many-endpoints-dont-have-mfa/ -- https://github.com/dafthack/MFASweep/tree/master \ No newline at end of file +- https://github.com/dafthack/MFASweep/tree/master