Skip to content

This repository contains sample log data that were collected after running adversary simulations in Microsoft 365

License

Notifications You must be signed in to change notification settings

blueteam0ps/det-eng-samples

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Background

This repository exists to support fellow threat detection engineers by providing sample data sets. The sample data sets were created by simulated activity within the Microsoft 365 platform. Simulations were performed via PowerShell using MS API and the M365 web portal. Microsoft Extractor Suite was used to extract the logs for this project. https://github.com/invictus-ir/Microsoft-Extractor-Suite.

Current Sample Set

No Activity MITRE Tactic MITRE Technique MITRE Sub-Technique Source Atomic Red Team Test
1 Password Spraying and followed by a success - MSOLSPRAY (PowerShell) TA0006-Credential Access T1110 T1110.003 AzureActiveDirectoryStsLogon
2 Password Spraying and followed by a success - MSOLSPRAY (Python) TA0006-Credential Access T1110 T1110.003 AzureActiveDirectoryStsLogon
3 Password Spraying and followed by a success - o365spray(default module) TA0006-Credential Access T1110 T1110.003 AzureActiveDirectoryStsLogon
4 Password Spraying and followed by a success - o365spray(reporting module) TA0006-Credential Access T1110 T1110.003 AzureActiveDirectoryStsLogon
5 Use MFASweep to identify MFA status of MS Services TA0043-Reconnaissance T1592 T1592.004 AzureActiveDirectoryStsLogon
6 Discovery using Azurehound list TA0007-Discovery T1482 - AzureActiveDirectoryStsLogon
7 Set Audit Bypass For a Mailbox TA0005-Defense Evasion T1562 T1562.008 ExchangeAdmin
8 Set Mailbox Audit Log Age to Zero TA0005-Defense Evasion T1562 T1562.001 ExchangeAdmin
9 Disable Unified Audit Log ingestion TA0005-Defense Evasion T1562 T1562.008 ExchangeAdmin
10 Assign Company Administrator role to a user in Azure TA0003-Persistence T1098 T1098.001 Azure Active Directory
11 Enable IMAP or POP for a mailbox TA0009-Collection T1114 T1114.002 ExchangeAdmin
12 Create external forward a mailbox TA0009-Collection T1114 T1114.003 ExchangeAdmin
13 Update an existing inbox rule TA0005-Defense Evasion T1564 T1564.008 ExchangeAdmin
14 Set a new inbox rule to delete e-mail TA0005-Defense Evasion T1564 T1564.008 ExchangeAdmin
15 Mailbox delegation with full access TA0003-Persistence T1098 T1098.002 ExchangeAdmin
16 Mailbox delegation with send as permission TA0003-Persistence T1098 T1098.002 ExchangeAdmin
17 Disable MFA for a user TA0003-Persistence T1556 T1556.006 Azure Active Directory
18 Add ApplicationImpersonation role to an app TA0003-Persistence T1098 T1098.002 ExchangeAdmin
19 User removed from an admin group TA0040-Impact T1531 - Azure Active Directory
20 Remove Auditing license from a user TA0005-Defense Evasion T1562 T1562.008 Azure Active Directory
21 Remove of a DLP Compliance Policy TA0005-Defense Evasion T1562 T1562.001 Security Compliance Center
22 Change Consent Permission to allow any user to allow app grants TA0005-Defense Evasion T1550 T1550.001 Azure Active Directory
23 App Registration for Rclone default config TA0005-Defense Evasion T1550 T1550.001 Azure Active Directory

Icon for the project Software testing icons created by Freepik - Flaticon

About

This repository contains sample log data that were collected after running adversary simulations in Microsoft 365

Resources

License

Stars

Watchers

Forks