From 19f63c6186d6e06d3eecdef92471faf27a38ef6e Mon Sep 17 00:00:00 2001
From: nasbench <nasreddineb@splunk.com>
Date: Wed, 15 Oct 2025 17:39:11 +0200
Subject: [PATCH] add wbadmin rec dataset

---
 .../T1565.001/wbadmin_recovery/wbadmin_recovery.log |  3 +++
 .../T1565.001/wbadmin_recovery/wbadmin_recovery.yml | 13 +++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 datasets/attack_techniques/T1565.001/wbadmin_recovery/wbadmin_recovery.log
 create mode 100644 datasets/attack_techniques/T1565.001/wbadmin_recovery/wbadmin_recovery.yml

diff --git a/datasets/attack_techniques/T1565.001/wbadmin_recovery/wbadmin_recovery.log b/datasets/attack_techniques/T1565.001/wbadmin_recovery/wbadmin_recovery.log
new file mode 100644
index 00000000..9058e122
--- /dev/null
+++ b/datasets/attack_techniques/T1565.001/wbadmin_recovery/wbadmin_recovery.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8147c4ae0b83ec0155e64a69df1d59189f307054824085c6c32eb8940f131693
+size 2161
diff --git a/datasets/attack_techniques/T1565.001/wbadmin_recovery/wbadmin_recovery.yml b/datasets/attack_techniques/T1565.001/wbadmin_recovery/wbadmin_recovery.yml
new file mode 100644
index 00000000..d9d45fc9
--- /dev/null
+++ b/datasets/attack_techniques/T1565.001/wbadmin_recovery/wbadmin_recovery.yml
@@ -0,0 +1,13 @@
+author: Nasreddine Bencherchali, Splunk
+id: 0232e68d-338f-4963-8602-614357458534
+date: '2025-10-15'
+description: Generated datasets covering the execution of wbadmin for recovery in attack range.
+environment: attack_range
+directory: wbadmin_recovery
+mitre_technique:
+- T1046
+datasets:
+- name: wbadmin_recovery.log
+  path: /datasets/attack_techniques/T1565.001/wbadmin_recovery/wbadmin_recovery.log
+  sourcetype: XmlWinEventLog
+  source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'