Merge pull request #1162 from splunk/active_mq_exploit

new dataset for ActiveMQ exploit and Lockbit ransomware

Author: P4T12ICK

datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/activemq_exploit_lockbit_ransomware.yml

@@ -0,0 +1,19 @@
+author: Patrick Bareiss, Splunk
+id: 1d5e15bc-7eaf-46a2-8a92-ad9e3eb5cbb4
+date: '2026-04-28'
+description: Execution of ActiveMQ exploit and Lockbit ransomware based on the following DFIR report https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
+environment: attack_range
+directory: ActiveMQ_exploit_Lockbit_Ransomware
+datasets:
+- name: windows-sysmon
+  path: /datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+- name: windows-security
+  path: /datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-security.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Security
+- name: windows-powershell
+  path: /datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-powershell.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational

datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-powershell.log

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:405c2a15b183abd9f23e22eb18ddb65b562d9b80cca7a4338ffeddc26cbb6c4c
+size 57064933

datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-security.log

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:55555312391cf49c51fddbbd2c19aa09d7c1469205d0f3374bec68ad4df49a78
+size 21544480

datasets/apt_simulations/ActiveMQ_exploit_Lockbit_Ransomware/windows-sysmon.log

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6fb7acc46cae31504b1d8fc7b731cfcbbfc61ef9819574a72d684c8ea47e9360
+size 20699440