diff --git a/datasets/attack_techniques/T1021.001/execution_from_rdp_share/execution_from_rdp_share.log b/datasets/attack_techniques/T1021.001/execution_from_rdp_share/execution_from_rdp_share.log
new file mode 100644
index 00000000..7fb8f6f5
--- /dev/null
+++ b/datasets/attack_techniques/T1021.001/execution_from_rdp_share/execution_from_rdp_share.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0faecc0797d5b9c320965de44fa7d722abff0f8387df570f65da2e8cb7e7a923
+size 11222
diff --git a/datasets/attack_techniques/T1021.001/execution_from_rdp_share/execution_from_rdp_share.yml b/datasets/attack_techniques/T1021.001/execution_from_rdp_share/execution_from_rdp_share.yml
new file mode 100644
index 00000000..0b644cd7
--- /dev/null
+++ b/datasets/attack_techniques/T1021.001/execution_from_rdp_share/execution_from_rdp_share.yml
@@ -0,0 +1,13 @@
+author: Nasreddine Bencherchali, Splunk
+id: 5b9f128a-50a1-469e-a806-6a89fd1b3076
+date: '2025-10-21'
+description: Generated datasets covering the creation or execution of NirSof ttooling.
+environment: attack_range
+directory: nirsoft_tooling
+mitre_technique:
+- T1021.001
+datasets:
+- name: execution_from_rdp_share.log
+  path: /datasets/attack_techniques/T1021.001/execution_from_rdp_share/execution_from_rdp_share.log
+  sourcetype: XmlWinEventLog
+  source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
diff --git a/datasets/attack_techniques/T1588.002/nirsoft_tooling/nirsoft_file_bundle_created.log b/datasets/attack_techniques/T1588.002/nirsoft_tooling/nirsoft_file_bundle_created.log
new file mode 100644
index 00000000..32a676b8
--- /dev/null
+++ b/datasets/attack_techniques/T1588.002/nirsoft_tooling/nirsoft_file_bundle_created.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fbf6b1991701017cfe121dc2e5e137ed3b6a9c735376322864f90e4af97cf968
+size 4831
diff --git a/datasets/attack_techniques/T1588.002/nirsoft_tooling/nirsoft_tooling.yml b/datasets/attack_techniques/T1588.002/nirsoft_tooling/nirsoft_tooling.yml
new file mode 100644
index 00000000..5dd02511
--- /dev/null
+++ b/datasets/attack_techniques/T1588.002/nirsoft_tooling/nirsoft_tooling.yml
@@ -0,0 +1,13 @@
+author: Nasreddine Bencherchali, Splunk
+id: 5b9f127a-50a1-469e-a806-6a89fd1b3076
+date: '2025-10-21'
+description: Generated datasets covering the creation or execution of NirSof ttooling.
+environment: attack_range
+directory: nirsoft_tooling
+mitre_technique:
+- T1588.002
+datasets:
+- name: nirsoft_file_bundle_created.log
+  path: /datasets/attack_techniques/T1588.002/nirsoft_tooling/nirsoft_file_bundle_created.log
+  sourcetype: XmlWinEventLog
+  source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'