diff --git a/datasets/attack_techniques/T1003/test/sysmon.xml b/datasets/attack_techniques/T1003/test/sysmon.xml
new file mode 100644
index 00000000..ff886229
--- /dev/null
+++ b/datasets/attack_techniques/T1003/test/sysmon.xml
@@ -0,0 +1,5 @@
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>22</EventID><Version>5</Version><Level>4</Level><Task>22</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-10-29T16:27:52.302127000Z'/><EventRecordID>135299</EventRecordID><Correlation/><Execution ProcessID='2480' ThreadID='3776'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-10-29 16:27:44.841</Data><Data Name='ProcessGuid'>{2d9b1c52-4086-6902-78d0-010000006903}</Data><Data Name='ProcessId'>260</Data><Data Name='QueryName'>_ldap._tcp.dc._msdcs.WORKGROUP</Data><Data Name='QueryStatus'>9003</Data><Data Name='QueryResults'>-</Data><Data Name='Image'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-10-29T16:27:50.784014600Z'/><EventRecordID>135298</EventRecordID><Correlation/><Execution ProcessID='2480' ThreadID='3748'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-10-29 16:27:50.780</Data><Data Name='ProcessGuid'>{2d9b1c52-4086-6902-79d0-010000006903}</Data><Data Name='ProcessId'>1824</Data><Data Name='Image'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe</Data><Data Name='FileVersion'>9.3.0</Data><Data Name='Description'>Registry monitor</Data><Data Name='Product'>splunk Application</Data><Data Name='Company'>Splunk Inc.</Data><Data Name='OriginalFileName'>splunk-regmon.exe</Data><Data Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{2d9b1c52-0eab-68f1-e703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=F1B469DA7803AFE04870B4871CC0F695,SHA256=8198111A755A6918B5559B548574061A41EF5AACAE706DD154936CFEC6E6432E,IMPHASH=AEB21630574EF01A3A5116CB58C5AC56</Data><Data Name='ParentProcessGuid'>{2d9b1c52-0eb0-68f1-3b00-000000006903}</Data><Data Name='ParentProcessId'>2452</Data><Data Name='ParentImage'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-10-29T16:27:50.026462000Z'/><EventRecordID>135297</EventRecordID><Correlation/><Execution ProcessID='2480' ThreadID='3748'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-10-29 16:27:50.024</Data><Data Name='ProcessGuid'>{2d9b1c52-4086-6902-78d0-010000006903}</Data><Data Name='ProcessId'>260</Data><Data Name='Image'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Data><Data Name='FileVersion'>9.3.0</Data><Data Name='Description'>Active Directory monitor</Data><Data Name='Product'>splunk Application</Data><Data Name='Company'>Splunk Inc.</Data><Data Name='OriginalFileName'>splunk-admon.exe</Data><Data Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{2d9b1c52-0eab-68f1-e703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=DBFD61F6BB7B564B6D2E8C43BDCFA36B,SHA256=CE85AA468CE40D8463CE0B8E5320637BD87C9A0702F8B0BD35A40F93D146E80B,IMPHASH=623F6CD6D62EAC500E2DDE74F881F752</Data><Data Name='ParentProcessGuid'>{2d9b1c52-0eb0-68f1-3b00-000000006903}</Data><Data Name='ParentProcessId'>2452</Data><Data Name='ParentImage'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-10-29T16:27:50.780799500Z'/><EventRecordID>292574</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='2440'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x720</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x994</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-10-29T16:27:50.024550300Z'/><EventRecordID>292573</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='5088'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x104</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x994</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
diff --git a/datasets/attack_techniques/T1003/test/test.yml b/datasets/attack_techniques/T1003/test/test.yml
new file mode 100644
index 00000000..c0781282
--- /dev/null
+++ b/datasets/attack_techniques/T1003/test/test.yml
@@ -0,0 +1,13 @@
+author: PB
+id: 791b8984-9559-44f5-9871-afcdd7d8cc52
+date: '2025-10-29'
+description: Attack data for technique T1003
+environment: attack_range
+directory: test
+mitre_technique:
+- T1003
+datasets:
+- name: sysmon
+  path: datasets/attack_techniques/T1003/test/sysmon.xml
+  sourcetype: test
+  source: Sysmon