From 1e3e6b4659629819993b0cd9a252ddc58846f14d Mon Sep 17 00:00:00 2001
From: Teoderick Contreras <tcontreras@splunk.com>
Date: Mon, 27 Oct 2025 14:02:04 +0100
Subject: [PATCH] det_fixes

---
 .../default_rdp_dropped.log                         |  3 +++
 .../susp_default_rdp_creation.yml                   | 13 +++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 datasets/attack_techniques/T1021.001/susp_default_rdp_creation/default_rdp_dropped.log
 create mode 100644 datasets/attack_techniques/T1021.001/susp_default_rdp_creation/susp_default_rdp_creation.yml

diff --git a/datasets/attack_techniques/T1021.001/susp_default_rdp_creation/default_rdp_dropped.log b/datasets/attack_techniques/T1021.001/susp_default_rdp_creation/default_rdp_dropped.log
new file mode 100644
index 00000000..716b3d5b
--- /dev/null
+++ b/datasets/attack_techniques/T1021.001/susp_default_rdp_creation/default_rdp_dropped.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23f802141a9dc33ca819fb13e03f4d3f3a55113dc08ea1b6cc8661432bec7818
+size 10937
diff --git a/datasets/attack_techniques/T1021.001/susp_default_rdp_creation/susp_default_rdp_creation.yml b/datasets/attack_techniques/T1021.001/susp_default_rdp_creation/susp_default_rdp_creation.yml
new file mode 100644
index 00000000..f7349f20
--- /dev/null
+++ b/datasets/attack_techniques/T1021.001/susp_default_rdp_creation/susp_default_rdp_creation.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: f3a83b08-b334-11f0-894e-629be3538069
+date: '2025-10-27'
+description: Generated datasets for susp default rdp creation in attack range.
+environment: attack_range
+directory: susp_default_rdp_creation
+mitre_technique:
+- T1021.001
+datasets:
+- name: default_rdp_dropped.log
+  path: /datasets/attack_techniques/T1021.001/susp_default_rdp_creation/default_rdp_dropped.log
+  sourcetype: 'XmlWinEventLog'
+  source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
\ No newline at end of file