GitHub Repo

Snapattack

Date: 2026-04-01 ID: 1df9301c-3673-4c78-864e-e05b67e68748 Author: Raven Tait, Splunk Environment: attack_range Directory: snapattack

Description

Generated datasets for Windows Apache ActiveMQ Exploitation in attack range.

MITRE ATT&CK Techniques

ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access

Environment Details

Field Value
Environment attack_range
Directory snapattack
Test Date 2026-04-01

Datasets

The following datasets were collected during this attack simulation:

Snapattack

  • Path: /datasets/attack_techniques/T1190/snapattack/snaattack.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Snapattack_linux

  • Path: /datasets/attack_techniques/T1190/snapattack/snapattack_linux.log
  • Sourcetype: sysmon:linux
  • Source: Syslog:Linux-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name Type Source MITRE ATT&CK Analytic Story
Windows TeamCity Payload Execution from Temp Directory TTP Endpoint T1190, T1505.003, T1059 JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
Windows Shell or Script Execution From IIS Directory Anomaly Endpoint T1190, T1505.004 ProxyShell, ProxyNotShell
Windows Unusual File Creation in Confluence Directory Anomaly Endpoint T1190, T1608.001, T1608.002 Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1190/snapattack/snaattack.log --index attack_data

Manual Import

  1. Download the dataset files from the paths listed above
  2. Configure your Splunk instance with the appropriate sourcetypes
  3. Import the logs using the Splunk Add Data wizard

Related Content

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0