{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# MSTICpy - Mordor data provider and browser\n",
"\n",
"### Description\n",
"This notebook provides a guided example of using the Mordor data provider and browser included with MSTICpy.\n",
"\n",
"For more information on the Mordor data sets see the [Open Threat Research Forge Mordor GitHub repo](https://github.com/OTRF/mordor)\n",
"\n",
"### Contents:\n",
"- Using the Mordor data provider to retrieve data sets\n",
" - Listing queries\n",
" - Running a query to retrieve data\n",
" - Optional parameters\n",
" - Searching for queries by Mordor property\n",
"- Mordor Browser\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Using the Data Provider to download datasets\n",
"\n",
"Using the data provider you can download and render event data as a pandas DataFrame.\n",
"\n",
"> **Note** - Mordor includes both host event data and network capture data.
\n",
"> Although Capture files can be downloaded and unpacked
\n",
"> they currently cannot be populated into a pandas DataFrame.\n",
"> This is the case for most `network` datasets.
\n",
"> `Host` event data is retrieved and populated into DataFrames.\n"
]
},
{
"cell_type": "code",
"execution_count": 12,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Retrieving Mitre data...\n",
"Retrieving Mordor data...\n"
]
}
],
"source": [
"from msticpy.data import QueryProvider\n",
"mdr_data = QueryProvider(\"Mordor\")\n",
"mdr_data.connect()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### List Queries\n",
"\n",
"> Note: Many Mordor data entries have multiple data sets, so we see more queries than Mordor entries.\n",
"\n",
"(Only first 15 shown)"
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['small.aws.collection.ec2_proxy_s3_exfiltration',\n",
" 'small.windows.collection.host.msf_record_mic',\n",
" 'small.windows.credential_access.host.covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges',\n",
" 'small.windows.credential_access.host.empire_dcsync_dcerpc_drsuapi_DsGetNCChanges',\n",
" 'small.windows.credential_access.host.empire_mimikatz_backupkeys_dcerpc_smb_lsarpc',\n",
" 'small.windows.credential_access.host.empire_mimikatz_extract_keys',\n",
" 'small.windows.credential_access.host.empire_mimikatz_logonpasswords',\n",
" 'small.windows.credential_access.host.empire_mimikatz_lsadump_patch',\n",
" 'small.windows.credential_access.host.empire_mimikatz_sam_access',\n",
" 'small.windows.credential_access.host.empire_over_pth_patch_lsass',\n",
" 'small.windows.credential_access.host.empire_powerdump_sam_access',\n",
" 'small.windows.credential_access.host.empire_shell_reg_dump_sam',\n",
" 'small.windows.credential_access.host.empire_shell_rubeus_asktgt_createnetonly',\n",
" 'small.windows.credential_access.host.empire_shell_rubeus_asktgt_ptt',\n",
" 'small.windows.credential_access.host.rdp_interactive_taskmanager_lsass_dump']"
]
},
"execution_count": 13,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"mdr_data.list_queries()[:15]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Retrieving/querying a data set"
]
},
{
"cell_type": "code",
"execution_count": 14,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip\n",
"Extracting covenant_dcsync_dcerpc_drsuapi_DsGetNCChanges_2020-08-05020926.json\n"
]
},
{
"data": {
"text/html": [
"
\n", " | @version | \n", "Keywords | \n", "ThreadID | \n", "Version | \n", "DestAddress | \n", "host | \n", "LayerRTID | \n", "Message | \n", "SourceModuleName | \n", "SourceName | \n", "... | \n", "Properties | \n", "OperationType | \n", "QueryName | \n", "QueryResults | \n", "QueryStatus | \n", "PipeName | \n", "DisabledPrivilegeList | \n", "EnabledPrivilegeList | \n", "ShareLocalPath | \n", "RelativeTargetName | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "1 | \n", "-9214364837600034816 | \n", "4888 | \n", "1 | \n", "239.255.255.250 | \n", "wec.internal.cloudapp.net | \n", "44.0 | \n", "The Windows Filtering Platform has permitted a... | \n", "eventlog | \n", "Microsoft-Windows-Security-Auditing | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "1 | \n", "-9223372036854775808 | \n", "4452 | \n", "2 | \n", "NaN | \n", "wec.internal.cloudapp.net | \n", "NaN | \n", "File created:\\r\\nRuleName: -\\r\\nUtcTime: 2020-... | \n", "eventlog | \n", "Microsoft-Windows-Sysmon | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
2 | \n", "1 | \n", "-9223372036854775808 | \n", "4452 | \n", "2 | \n", "NaN | \n", "wec.internal.cloudapp.net | \n", "NaN | \n", "RawAccessRead detected:\\r\\nRuleName: -\\r\\nUtcT... | \n", "eventlog | \n", "Microsoft-Windows-Sysmon | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
3 rows × 145 columns
\n", "\n", " | @version | \n", "Keywords | \n", "ThreadID | \n", "Version | \n", "DestAddress | \n", "host | \n", "LayerRTID | \n", "Message | \n", "SourceModuleName | \n", "SourceName | \n", "... | \n", "Properties | \n", "OperationType | \n", "QueryName | \n", "QueryResults | \n", "QueryStatus | \n", "PipeName | \n", "DisabledPrivilegeList | \n", "EnabledPrivilegeList | \n", "ShareLocalPath | \n", "RelativeTargetName | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "1 | \n", "-9214364837600034816 | \n", "4888 | \n", "1 | \n", "239.255.255.250 | \n", "wec.internal.cloudapp.net | \n", "44.0 | \n", "The Windows Filtering Platform has permitted a... | \n", "eventlog | \n", "Microsoft-Windows-Security-Auditing | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "1 | \n", "-9223372036854775808 | \n", "4452 | \n", "2 | \n", "NaN | \n", "wec.internal.cloudapp.net | \n", "NaN | \n", "File created:\\r\\nRuleName: -\\r\\nUtcTime: 2020-... | \n", "eventlog | \n", "Microsoft-Windows-Sysmon | \n", "... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
2 rows × 145 columns
\n", ""
],
"text/plain": [
" Parameters Query Example {QueryProvider}[.QueryPath].QueryName(params...) Mitre Technique T1078 (sub: 004) : Valid Accounts Mitre Technique T1530 : Data from Cloud Storage Object Mitre Technique T1078 (sub: 004) : Valid Accounts Mitre Technique T1530 : Data from Cloud Storage Object
\n",
"> passed to the query - these are not needed and ignored."
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [
{
"data": {
"application/vnd.jupyter.widget-view+json": {
"model_id": "054b2f33184f4d5c8daa3456cbf25a60",
"version_major": 2,
"version_minor": 0
},
"text/plain": [
"VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"
"
],
"text/plain": [
"AWS Cloud Bank Breach S3
https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/aw\n",
" s/collection/ec2_proxy_s3_exfiltration.zip
\n",
" qry_prov.small.aws.collection.ec2_proxy_s3_exfiltration(start=start, end=end, hostname=host)
\n",
" "
],
"text/plain": [
"Mordor dataset browser
"
}
},
"15544c32789444f2a5c22624ef1c1a36": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"15cc7e4d39db4d30ad623825612f9cff": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"18b2b22895544665831e6b9e2448d268": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "SelectMultipleModel",
"state": {
"_options_labels": [
"T1078 - Valid Accounts",
"T1530 - Data from Cloud Storage Object",
"T1222 - File and Directory Permissions Modification",
"T1003 - OS Credential Dumping",
"T1069 - Permission Groups Discovery",
"T1087 - Account Discovery",
"T1547 - Boot or Logon Autostart Execution",
"T1053 - Scheduled Task/Job",
"T1550 - Use Alternate Authentication Material",
"T1574 - Hijack Execution Flow",
"T1059 - Command and Scripting Interpreter",
"T1546 - Event Triggered Execution",
"T1055 - Process Injection",
"T1112 - Modify Registry",
"T1021 - Remote Services",
"T1047 - Windows Management Instrumentation",
"T1049 - System Network Connections Discovery",
"T1218 - Signed Binary Proxy Execution",
"T1123 - Audio Capture",
"T1548 - Abuse Elevation Control Mechanism",
"T1210 - Exploitation of Remote Services"
],
"description": "Mitre Techniques",
"index": [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20
],
"layout": "IPY_MODEL_1c1c043edd1b412fbc11a3c03575b586",
"rows": 5,
"style": "IPY_MODEL_f564cc6a7335491eb7f12015ae752752"
}
},
"196e627805a4464a983a990be8452b03": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "VBoxModel",
"state": {
"children": [
"IPY_MODEL_c2e8f27be0424336930c22fb63a4f884",
"IPY_MODEL_12cfb0e793da4862855e96a851dabd07",
"IPY_MODEL_3e1b33b35cc84887bd95e11bc00e3933"
],
"layout": "IPY_MODEL_45165fcbf8164ce2b7ce062c507c806d"
}
},
"1999c1cdc50c4520a537eb81bb8b03ca": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {
"width": "70%"
}
},
"1b4fec3a153d43ddac2693ee62dc62db": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"1c1c043edd1b412fbc11a3c03575b586": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {
"height": "100px",
"width": "40%"
}
},
"1caba0145e3b4206bc10722de50e9d46": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextModel",
"state": {
"description": "id",
"layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca",
"style": "IPY_MODEL_fa57c2981a014c6aa434fd6e9b32f20e",
"value": "SDAWS-200914011940"
}
},
"1d17f689cfa0422a8cfafb0915fa00e5": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"1f357d31eebd4172b65e9acbe9e5d38d": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "FloatProgressModel",
"state": {
"bar_style": "success",
"description": "Downloading Mordor metadata files: 100%",
"layout": "IPY_MODEL_87031dc2d0f341568fb968c5f6ee1753",
"max": 57,
"style": "IPY_MODEL_86ca490e74884605857e3b2aa1485f22",
"value": 57
}
},
"21513f1b43734a47ad633209d05442f1": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"227af9ea3c644405abd5b2f83ca20e06": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"249556214a2d41a9b689a173dd3cc2ce": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextareaModel",
"state": {
"description": "references",
"layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b",
"style": "IPY_MODEL_1d17f689cfa0422a8cfafb0915fa00e5",
"value": "['https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/cloud_breach_s3']"
}
},
"257a823eb6f24fc79a12f02010dd47c3": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {
"height": "200px",
"width": "70%"
}
},
"27460ceabac04572b3bdae58fd275bc2": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextareaModel",
"state": {
"description": "query name",
"layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b",
"style": "IPY_MODEL_5eefece855c3492cb6343159719bd764",
"value": "small.aws.collection.ec2_proxy_s3_exfiltration (AWS Cloud Bank Breach S3, SDAWS-200914011940)"
}
},
"2905573e95634a98bf96b21701a539ba": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "HBoxModel",
"state": {
"children": [
"IPY_MODEL_d6d592e91a0849c5889a0f09e3d42baa",
"IPY_MODEL_abe73812644a4742bc8292f7a9e1937b"
],
"layout": "IPY_MODEL_726eb5a7dd734f75abbe80d9a0683241"
}
},
"2d186d5ba3304f2baf9b07e8cb9f40f3": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"2ff8099083884490912790f4f4ee3424": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "HBoxModel",
"state": {
"children": [
"IPY_MODEL_c9e23342af3e4f8881ff245933286e44",
"IPY_MODEL_49bca43be6a04bdb9c218a030d2144bf"
],
"layout": "IPY_MODEL_c7ce0402538d4bb683f037f4a1f22db8"
}
},
"31169bba041a4b20919221e4ce7ce8dd": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"32d8d9aebbb3483290926dff1dfea13e": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"33716f25ea6743798bfc1c7985b15b35": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "HBoxModel",
"state": {
"children": [
"IPY_MODEL_ac45c5eb72044ea7b5ea9972a9689fa4",
"IPY_MODEL_60c77bd887e94f1eadfc172d87239b93"
],
"layout": "IPY_MODEL_fbd378c0ef2e4dc9be8330bb8120f724"
}
},
"35454e40c4274824bef1570224e38d97": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": ""
}
},
"373a0836c6cd467892043018c97957d3": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"385886c636fc4a3ebba6d7433bacf137": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextModel",
"state": {
"description": "tags",
"layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b",
"style": "IPY_MODEL_21513f1b43734a47ad633209d05442f1",
"value": "EC2 Proxy Abuse, S3 Data Exfiltration"
}
},
"3aeb90923fc448b9ad408592840224dc": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextModel",
"state": {
"description": "Filter:",
"layout": "IPY_MODEL_a2e96eefc5114fdca95a990b015031ce",
"style": "IPY_MODEL_ed6812b281a444e8b320b86b520a993e"
}
},
"3b4c62c7679b47a6b0502a43cb3d53b2": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextModel",
"state": {
"description": "modification_date",
"layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b",
"style": "IPY_MODEL_63a6203566e9421d86229af44063e735",
"value": "2020-09-13 00:00:00"
}
},
"3c83670a67f64f14a315906e595035c2": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": ""
}
},
"3da201ec0e6c4a4488cc7d6e9f5e1054": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"3dd3958361f447be84ab38ea5701f571": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"3e1b33b35cc84887bd95e11bc00e3933": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "AccordionModel",
"state": {
"_titles": {
"0": "Filters"
},
"children": [
"IPY_MODEL_00f39a99d801432386985bbba8d91d3e"
],
"layout": "IPY_MODEL_be7cc59a47014704ac98626c7fd932a7",
"selected_index": null
}
},
"3e641eadea214ac9942ed005f61f2c5e": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "HBoxModel",
"state": {
"children": [
"IPY_MODEL_18b2b22895544665831e6b9e2448d268",
"IPY_MODEL_98e7a335eb6942728df8ad89b9091b3d",
"IPY_MODEL_f169ab2db4c64030b2179596d3ee6213"
],
"layout": "IPY_MODEL_a45d771601644fea9c9f0391f705d28b"
}
},
"3e66b46fc13346358e05316f28219477": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"45165fcbf8164ce2b7ce062c507c806d": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {
"border": "1px solid",
"margin": "5px",
"padding": "10px",
"width": "80%"
}
},
"49bca43be6a04bdb9c218a030d2144bf": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "LabelModel",
"state": {
"layout": "IPY_MODEL_0d2d30c344e74b6283f5d1461287d534",
"style": "IPY_MODEL_ad9dfbe7ba9543358b103f86dc8f59d6",
"value": " comma ORs values, '+' ANDs values"
}
},
"49d94d3dc9a84c1a89356a9e90b8275f": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "ButtonModel",
"state": {
"description": "Download",
"layout": "IPY_MODEL_de91f0de57e54aa4a6179c752e52d3ac",
"style": "IPY_MODEL_d5ebea2ba6cb4c999c2ca71bdd18a303"
}
},
"4cba7100a77d4a67a9e30740a047c57d": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "HBoxModel",
"state": {
"children": [
"IPY_MODEL_fa6daef63a734178baa4e1c093f31cbf",
"IPY_MODEL_49d94d3dc9a84c1a89356a9e90b8275f"
],
"layout": "IPY_MODEL_707d9649d0cc41f6a76df6f9cde75616"
}
},
"516c7ff671144ad495b4cf4a7aa53602": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "VBoxModel",
"state": {
"children": [
"IPY_MODEL_973b3cc26eb144178fbc3f5cd879acb5",
"IPY_MODEL_1caba0145e3b4206bc10722de50e9d46",
"IPY_MODEL_bc63213943704f288317b5d00cc19b0a",
"IPY_MODEL_55f54dcaf30742e692568466063bb8ab",
"IPY_MODEL_678bd81546ab45ebb4d708bc59ec37c3",
"IPY_MODEL_e2bfded2a0ad4628a8106cad6144fabc",
"IPY_MODEL_cbb5cc87c81a4f90b3fefa8baba81286",
"IPY_MODEL_853e8ac9109545b6b0b0212e0a024e2e",
"IPY_MODEL_33716f25ea6743798bfc1c7985b15b35",
"IPY_MODEL_80595b0b60f5412ebc93246191b6e337",
"IPY_MODEL_5b681178e5a0489299a4957ba1a6497b",
"IPY_MODEL_5951e34d8aa0481ba5fed0fc7b6f3699",
"IPY_MODEL_a70b0021bce34751b70575aa7498a372",
"IPY_MODEL_e463e5729fc748d0bab3cf5891f1d76b"
],
"layout": "IPY_MODEL_6573400329f84022af769bb793389703"
}
},
"52b24cb8d1f74e38a17455c6348de176": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {
"height": "300px",
"width": "50%"
}
},
"558ea780be9242a99605ddc0b175b3f7": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "HTMLModel",
"state": {
"description": "notebooks",
"layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b",
"style": "IPY_MODEL_bf1a6fa8f4504720860c17624decbf02",
"value": "Mordor dataset browser
"
}
},
"c5b9df9c55be4d75a6c3d956607abcec": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "initial"
}
},
"c64e723f0df44dab86d4ffde1141aeda": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "ButtonModel",
"state": {
"description": "Reset filter",
"layout": "IPY_MODEL_902158c54f544d619e277af05ea0abda",
"style": "IPY_MODEL_b755f2ec4afc4878b39f40c6b99e2a63"
}
},
"c69dfee0411744aeafe38d99b58f89d4": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": ""
}
},
"c7ce0402538d4bb683f037f4a1f22db8": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"c9e23342af3e4f8881ff245933286e44": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextModel",
"state": {
"description": "Filter",
"layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca",
"style": "IPY_MODEL_ae2e25c6ec6c446ca45bea907ee17d19"
}
},
"cbb5cc87c81a4f90b3fefa8baba81286": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextareaModel",
"state": {
"description": "description",
"layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca",
"style": "IPY_MODEL_d505bbea15f84dbca2447ee0cda50e8b",
"value": "This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket."
}
},
"cf785e6f037b4e56825395070ea6e151": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "initial"
}
},
"d505bbea15f84dbca2447ee0cda50e8b": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"d5ebea2ba6cb4c999c2ca71bdd18a303": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "ButtonStyleModel",
"state": {}
},
"d6c8a584ee224c529b722d26b22f9957": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "AccordionModel",
"state": {
"_titles": {
"0": "Filters"
},
"children": [
"IPY_MODEL_fa8aea703bdb439780a167ee890e10c8"
],
"layout": "IPY_MODEL_e71a934845e6448191f9819a9de9da08",
"selected_index": null
}
},
"d6d592e91a0849c5889a0f09e3d42baa": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextModel",
"state": {
"description": "Filter",
"layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b",
"style": "IPY_MODEL_0085351ab1274adb84fff8e15f00ef7e"
}
},
"d92b8067e8ea411b8721746c40e84c5d": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "VBoxModel",
"state": {
"children": [
"IPY_MODEL_1488d6fdd10e48d28c73b4873e114b14",
"IPY_MODEL_ade40f5f5b2f4a4faed7fd0cfb9938ab",
"IPY_MODEL_d6c8a584ee224c529b722d26b22f9957"
],
"layout": "IPY_MODEL_6573400329f84022af769bb793389703"
}
},
"d92c9364fe28418a8694f6f2d0675393": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"da7b4253e0a64992bd61bdc32b6abb51": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"db8ad5529fd8420492756b174c584de8": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextModel",
"state": {
"description": "author",
"layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b",
"style": "IPY_MODEL_0513f34232dc4d66bdec18a819a65bc7",
"value": "Roberto Rodriguez @Cyb3rWard0g"
}
},
"de91f0de57e54aa4a6179c752e52d3ac": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"e2bfded2a0ad4628a8106cad6144fabc": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextModel",
"state": {
"description": "platform",
"layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca",
"style": "IPY_MODEL_a456ee0e6c8b44e68cd54302226dfa73",
"value": "AWS"
}
},
"e348a7713a6f4afe9467f88f57910395": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"e463e5729fc748d0bab3cf5891f1d76b": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "TextareaModel",
"state": {
"description": "query name",
"layout": "IPY_MODEL_1999c1cdc50c4520a537eb81bb8b03ca",
"style": "IPY_MODEL_ac3a23e4fa0c47c7b7d1c7fe7ea82e49",
"value": "small.aws.collection.ec2_proxy_s3_exfiltration (AWS Cloud Bank Breach S3, SDAWS-200914011940)"
}
},
"e7052839959d4cdaa49340cfe9f7f80b": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"e71a934845e6448191f9819a9de9da08": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"e8e31268a7df4c6088f138fc0a387cfa": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"e9ad571d1298469580b5b0548c02ed28": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"ec27df812f6a47f08821c4bf1040459a": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"ece2bc63290248a0badfad760907811c": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"ed395411b7c14d41849e0c4e04638496": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "VBoxModel",
"state": {
"children": [
"IPY_MODEL_a18c579165ce4b2f9d3fa4d3e07fa8ef",
"IPY_MODEL_0bd9762ed7f3469d942d65cdeaf93892",
"IPY_MODEL_db8ad5529fd8420492756b174c584de8",
"IPY_MODEL_12e3d4e2e2674a5d83a848bbf1795250",
"IPY_MODEL_3b4c62c7679b47a6b0502a43cb3d53b2",
"IPY_MODEL_b50690d721034aa895369da66b5198c7",
"IPY_MODEL_a888e5cace3c469fb95f8170c6d23e59",
"IPY_MODEL_385886c636fc4a3ebba6d7433bacf137",
"IPY_MODEL_4cba7100a77d4a67a9e30740a047c57d",
"IPY_MODEL_7044344294cb4ecdbe044c53779be27a",
"IPY_MODEL_558ea780be9242a99605ddc0b175b3f7",
"IPY_MODEL_0561b3a93c5443f6a4f359f17851beab",
"IPY_MODEL_249556214a2d41a9b689a173dd3cc2ce",
"IPY_MODEL_27460ceabac04572b3bdae58fd275bc2"
],
"layout": "IPY_MODEL_45165fcbf8164ce2b7ce062c507c806d"
}
},
"ed6812b281a444e8b320b86b520a993e": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "initial"
}
},
"f169ab2db4c64030b2179596d3ee6213": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "ButtonModel",
"state": {
"description": "Reset filter",
"layout": "IPY_MODEL_b0667e190da9446e8094794dd857281f",
"style": "IPY_MODEL_8a0f7621bdbb4f51836a03b2c31badd3"
}
},
"f37054c182ce4fa699afffa54a49cd35": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "SelectMultipleModel",
"state": {
"_options_labels": [
"TA0001 - Initial Access",
"TA0003 - Persistence",
"TA0004 - Privilege Escalation",
"TA0005 - Defense Evasion",
"TA0009 - Collection",
"TA0006 - Credential Access",
"TA0007 - Discovery",
"TA0008 - Lateral Movement",
"TA0002 - Execution"
],
"description": "Mitre Tactics",
"index": [
0,
1,
2,
3,
4,
5,
6,
7,
8
],
"layout": "IPY_MODEL_a07f73122b1043e3a2b53facf9dc2364",
"rows": 5,
"style": "IPY_MODEL_ec27df812f6a47f08821c4bf1040459a"
}
},
"f564cc6a7335491eb7f12015ae752752": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"f5e596a77c8b47998b9dfd0439a51c58": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "initial"
}
},
"fa57c2981a014c6aa434fd6e9b32f20e": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "DescriptionStyleModel",
"state": {
"description_width": "150px"
}
},
"fa6daef63a734178baa4e1c093f31cbf": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "SelectModel",
"state": {
"_options_labels": [
"(cloud) ec2_proxy_s3_exfiltration.zip"
],
"description": "file_paths",
"index": 0,
"layout": "IPY_MODEL_647f49b51caa47a7acc4adf675dfd47b",
"style": "IPY_MODEL_7d5ebde1c581446798e90021ccc34191"
}
},
"fa8aea703bdb439780a167ee890e10c8": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "VBoxModel",
"state": {
"children": [
"IPY_MODEL_2ff8099083884490912790f4f4ee3424",
"IPY_MODEL_734b47ff6f5b4746a590006e099e471e"
],
"layout": "IPY_MODEL_d92c9364fe28418a8694f6f2d0675393"
}
},
"fbd378c0ef2e4dc9be8330bb8120f724": {
"model_module": "@jupyter-widgets/base",
"model_module_version": "1.2.0",
"model_name": "LayoutModel",
"state": {}
},
"febb623c645d4f7d9b2469e493104f50": {
"model_module": "@jupyter-widgets/controls",
"model_module_version": "1.5.0",
"model_name": "VBoxModel",
"state": {
"children": [
"IPY_MODEL_d92b8067e8ea411b8721746c40e84c5d",
"IPY_MODEL_516c7ff671144ad495b4cf4a7aa53602"
],
"layout": "IPY_MODEL_32d8d9aebbb3483290926dff1dfea13e"
}
}
},
"version_major": 2,
"version_minor": 0
}
}
},
"nbformat": 4,
"nbformat_minor": 4
}