From 654d229fab34229393590999608b45625d482cf1 Mon Sep 17 00:00:00 2001
From: Teoderick Contreras <tcontreras@splunk.com>
Date: Wed, 20 Aug 2025 17:11:07 +0200
Subject: [PATCH] disable_lsa

---
 .../disable_lsa_protection_new.yml                  | 13 +++++++++++++
 .../lsa_reg_deletion_modification.log               |  3 +++
 2 files changed, 16 insertions(+)
 create mode 100644 datasets/attack_techniques/T1556/disable_lsa_protection_new/disable_lsa_protection_new.yml
 create mode 100644 datasets/attack_techniques/T1556/disable_lsa_protection_new/lsa_reg_deletion_modification.log

diff --git a/datasets/attack_techniques/T1556/disable_lsa_protection_new/disable_lsa_protection_new.yml b/datasets/attack_techniques/T1556/disable_lsa_protection_new/disable_lsa_protection_new.yml
new file mode 100644
index 00000000..847d3678
--- /dev/null
+++ b/datasets/attack_techniques/T1556/disable_lsa_protection_new/disable_lsa_protection_new.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: a54f1d38-7dd7-11f0-8ab3-629be3538069
+date: '2025-08-20'
+description: Generated datasets for disable lsa protection new in attack range.
+environment: attack_range
+directory: disable_lsa_protection_new
+mitre_technique:
+- T1556
+datasets:
+- name: lsa_reg_deletion_modification.log
+  path: /datasets/attack_techniques/T1556/disable_lsa_protection_new/lsa_reg_deletion_modification.log
+  sourcetype: 'XmlWinEventLog'
+  source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1556/disable_lsa_protection_new/lsa_reg_deletion_modification.log b/datasets/attack_techniques/T1556/disable_lsa_protection_new/lsa_reg_deletion_modification.log
new file mode 100644
index 00000000..3a9c3e30
--- /dev/null
+++ b/datasets/attack_techniques/T1556/disable_lsa_protection_new/lsa_reg_deletion_modification.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2837f645d3270b5c2c362f633e0c25f2232b9df8099eed695576cbc754a9f59a
+size 51908