From fb255aa86adaebd0fc671910d4a369bd8e5443d6 Mon Sep 17 00:00:00 2001
From: P4T12ICK <patrickbareiss1989@gmail.com>
Date: Fri, 24 Oct 2025 16:15:43 +0200
Subject: [PATCH 1/2] Update YAML metadata for T1003

---
 .../T1003.002/atomic_red_team/atomic_red_team.yml             | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml
index 5b52451b..9c956d8e 100644
--- a/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml
+++ b/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml
@@ -17,3 +17,7 @@ datasets:
   path: /datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log
   sourcetype: XmlWinEventLog
   source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+- name: sysmon
+  path: datasets/attack_techniques/T1003.002/atomic_red_team/sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

From 3bf8bbe6d3d1c035ee55acbcdd0aa8960d792e7d Mon Sep 17 00:00:00 2001
From: P4T12ICK <patrickbareiss1989@gmail.com>
Date: Fri, 24 Oct 2025 16:15:44 +0200
Subject: [PATCH 2/2] Add attack data for T1003

---
 .../T1003.002/atomic_red_team/sysmon.log               | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 datasets/attack_techniques/T1003.002/atomic_red_team/sysmon.log

diff --git a/datasets/attack_techniques/T1003.002/atomic_red_team/sysmon.log b/datasets/attack_techniques/T1003.002/atomic_red_team/sysmon.log
new file mode 100644
index 00000000..cf9bdb4c
--- /dev/null
+++ b/datasets/attack_techniques/T1003.002/atomic_red_team/sysmon.log
@@ -0,0 +1,10 @@
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:58.830193800Z'/><EventRecordID>246318</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='2356'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0xfe8</Data><Data Name='NewProcessName'>C:\Windows\System32\wbem\WmiPrvSE.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x310</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>AR-WIN-1$</Data><Data Name='TargetDomainName'>WORKGROUP</Data><Data Name='TargetLogonId'>0x3e4</Data><Data Name='ParentProcessName'>C:\Windows\System32\svchost.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:51.750666200Z'/><EventRecordID>246317</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='4464'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x74</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x994</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:51.751878600Z'/><EventRecordID>83619</EventRecordID><Correlation/><Execution ProcessID='2480' ThreadID='3748'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-10-24 14:14:51.750</Data><Data Name='ProcessGuid'>{2d9b1c52-89db-68fb-221d-010000006903}</Data><Data Name='ProcessId'>116</Data><Data Name='Image'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe</Data><Data Name='FileVersion'>9.3.0</Data><Data Name='Description'>Registry monitor</Data><Data Name='Product'>splunk Application</Data><Data Name='Company'>Splunk Inc.</Data><Data Name='OriginalFileName'>splunk-regmon.exe</Data><Data Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{2d9b1c52-0eab-68f1-e703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=F1B469DA7803AFE04870B4871CC0F695,SHA256=8198111A755A6918B5559B548574061A41EF5AACAE706DD154936CFEC6E6432E,IMPHASH=AEB21630574EF01A3A5116CB58C5AC56</Data><Data Name='ParentProcessGuid'>{2d9b1c52-0eb0-68f1-3b00-000000006903}</Data><Data Name='ParentProcessId'>2452</Data><Data Name='ParentImage'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>22</EventID><Version>5</Version><Level>4</Level><Task>22</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:51.233710900Z'/><EventRecordID>83618</EventRecordID><Correlation/><Execution ProcessID='2480' ThreadID='3776'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-10-24 14:14:45.548</Data><Data Name='ProcessGuid'>{2d9b1c52-89d8-68fb-1e1d-010000006903}</Data><Data Name='ProcessId'>5092</Data><Data Name='QueryName'>_ldap._tcp.dc._msdcs.WORKGROUP</Data><Data Name='QueryStatus'>9003</Data><Data Name='QueryResults'>-</Data><Data Name='Image'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:51.001712100Z'/><EventRecordID>83617</EventRecordID><Correlation/><Execution ProcessID='2480' ThreadID='3748'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-10-24 14:14:50.999</Data><Data Name='ProcessGuid'>{2d9b1c52-89da-68fb-211d-010000006903}</Data><Data Name='ProcessId'>2276</Data><Data Name='Image'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe</Data><Data Name='FileVersion'>9.3.0</Data><Data Name='Description'>Network monitor</Data><Data Name='Product'>Splunk Application</Data><Data Name='Company'>Splunk Inc.</Data><Data Name='OriginalFileName'>splunk-netmon.exe</Data><Data Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{2d9b1c52-0eab-68f1-e703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=E30CB50BE9EC2FB49497F136DC71448F,SHA256=7835B39374396001E12637509AE0D22FCB7E2A89F6143DED03186B500276E537,IMPHASH=D30C8E545B1C24DE4E0DC100EF70F2D0</Data><Data Name='ParentProcessGuid'>{2d9b1c52-0eb0-68f1-3b00-000000006903}</Data><Data Name='ParentProcessId'>2452</Data><Data Name='ParentImage'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:50.999579200Z'/><EventRecordID>246316</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1660'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x8e4</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x994</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:50.249501900Z'/><EventRecordID>246315</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1660'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x8c8</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x994</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:50.250638000Z'/><EventRecordID>83616</EventRecordID><Correlation/><Execution ProcessID='2480' ThreadID='3748'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-10-24 14:14:50.249</Data><Data Name='ProcessGuid'>{2d9b1c52-89da-68fb-201d-010000006903}</Data><Data Name='ProcessId'>2248</Data><Data Name='Image'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data><Data Name='FileVersion'>-</Data><Data Name='Description'>-</Data><Data Name='Product'>-</Data><Data Name='Company'>-</Data><Data Name='OriginalFileName'>-</Data><Data Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{2d9b1c52-0eab-68f1-e703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=FCB0604926A81A7A7746B7066B286DC8,SHA256=211CC17F7C47B5CCF2B980A2091D392C73C9ABADDB1061CE419C5357DD5545C2,IMPHASH=44A0061B15025B4FBD3C0D7BCF7E24E9</Data><Data Name='ParentProcessGuid'>{2d9b1c52-0eb0-68f1-3b00-000000006903}</Data><Data Name='ParentProcessId'>2452</Data><Data Name='ParentImage'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:49.500010700Z'/><EventRecordID>246314</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1660'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x13cc</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x994</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-10-24T14:14:49.501745400Z'/><EventRecordID>83615</EventRecordID><Correlation/><Execution ProcessID='2480' ThreadID='3748'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-10-24 14:14:49.499</Data><Data Name='ProcessGuid'>{2d9b1c52-89d9-68fb-1f1d-010000006903}</Data><Data Name='ProcessId'>5068</Data><Data Name='Image'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='FileVersion'>10.0.10011.16384</Data><Data Name='Description'>SplunkMonNoHandle Control Program</Data><Data Name='Product'>Windows (R) Win 7 DDK driver</Data><Data Name='Company'>Windows (R) Win 7 DDK provider</Data><Data Name='OriginalFileName'>SplunkMonNoHandle.exe</Data><Data Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{2d9b1c52-0eab-68f1-e703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=509F459BAA92E3C3D2B8AF2ABEE90640,SHA256=12576AFDC3B84FA47162F3FE31DC926B5B1F82EC1B4A4721A656274275CB7B20,IMPHASH=AA49C0FBBD591DE7932A03B49B088142</Data><Data Name='ParentProcessGuid'>{2d9b1c52-0eb0-68f1-3b00-000000006903}</Data><Data Name='ParentProcessId'>2452</Data><Data Name='ParentImage'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>