This repository exists to support fellow threat detection engineers by providing sample data sets. The sample data sets were created by simulated activity within the Microsoft 365 platform. Simulations were performed via PowerShell using MS API and the M365 web portal. Microsoft Extractor Suite was used to extract the logs for this project. https://github.com/invictus-ir/Microsoft-Extractor-Suite.
| No | Activity | MITRE Tactic | MITRE Technique | MITRE Sub-Technique | Source | Atomic Red Team Test |
|---|---|---|---|---|---|---|
| 1 | Password Spraying and followed by a success - MSOLSPRAY (PowerShell) | TA0006-Credential Access | T1110 | T1110.003 | AzureActiveDirectoryStsLogon | |
| 2 | Password Spraying and followed by a success - MSOLSPRAY (Python) | TA0006-Credential Access | T1110 | T1110.003 | AzureActiveDirectoryStsLogon | |
| 3 | Password Spraying and followed by a success - o365spray(default module) | TA0006-Credential Access | T1110 | T1110.003 | AzureActiveDirectoryStsLogon | |
| 4 | Password Spraying and followed by a success - o365spray(reporting module) | TA0006-Credential Access | T1110 | T1110.003 | AzureActiveDirectoryStsLogon | |
| 5 | Use MFASweep to identify MFA status of MS Services | TA0043-Reconnaissance | T1592 | T1592.004 | AzureActiveDirectoryStsLogon | |
| 6 | Discovery using Azurehound list | TA0007-Discovery | T1482 | - | AzureActiveDirectoryStsLogon | |
| 7 | Set Audit Bypass For a Mailbox | TA0005-Defense Evasion | T1562 | T1562.008 | ExchangeAdmin | |
| 8 | Set Mailbox Audit Log Age to Zero | TA0005-Defense Evasion | T1562 | T1562.001 | ExchangeAdmin | |
| 9 | Disable Unified Audit Log ingestion | TA0005-Defense Evasion | T1562 | T1562.008 | ExchangeAdmin | |
| 10 | Assign Company Administrator role to a user in Azure | TA0003-Persistence | T1098 | T1098.001 | Azure Active Directory | |
| 11 | Enable IMAP or POP for a mailbox | TA0009-Collection | T1114 | T1114.002 | ExchangeAdmin | |
| 12 | Create external forward a mailbox | TA0009-Collection | T1114 | T1114.003 | ExchangeAdmin | |
| 13 | Update an existing inbox rule | TA0005-Defense Evasion | T1564 | T1564.008 | ExchangeAdmin | |
| 14 | Set a new inbox rule to delete e-mail | TA0005-Defense Evasion | T1564 | T1564.008 | ExchangeAdmin | |
| 15 | Mailbox delegation with full access | TA0003-Persistence | T1098 | T1098.002 | ExchangeAdmin | |
| 16 | Mailbox delegation with send as permission | TA0003-Persistence | T1098 | T1098.002 | ExchangeAdmin | |
| 17 | Disable MFA for a user | TA0003-Persistence | T1556 | T1556.006 | Azure Active Directory | |
| 18 | Add ApplicationImpersonation role to an app | TA0003-Persistence | T1098 | T1098.002 | ExchangeAdmin | |
| 19 | User removed from an admin group | TA0040-Impact | T1531 | - | Azure Active Directory | |
| 20 | Remove Auditing license from a user | TA0005-Defense Evasion | T1562 | T1562.008 | Azure Active Directory | |
| 21 | Remove of a DLP Compliance Policy | TA0005-Defense Evasion | T1562 | T1562.001 | Security Compliance Center | |
| 22 | Change Consent Permission to allow any user to allow app grants | TA0005-Defense Evasion | T1550 | T1550.001 | Azure Active Directory | |
| 23 | App Registration for Rclone default config | TA0005-Defense Evasion | T1550 | T1550.001 | Azure Active Directory |
Icon for the project Software testing icons created by Freepik - Flaticon