From 4e5214f0d57171b20a2fe4e206c9a9617c3fa6dc Mon Sep 17 00:00:00 2001
From: P4T12ICK <patrickbareiss1989@gmail.com>
Date: Wed, 12 Nov 2025 14:41:27 +0100
Subject: [PATCH 1/3] Configure Git LFS for attack data files

---
 datasets/.gitattributes | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 datasets/.gitattributes

diff --git a/datasets/.gitattributes b/datasets/.gitattributes
new file mode 100644
index 00000000..4f29089a
--- /dev/null
+++ b/datasets/.gitattributes
@@ -0,0 +1,2 @@
+*.log filter=lfs diff=lfs merge=lfs -text
+*.log.* filter=lfs diff=lfs merge=lfs -text

From 7408a9b3f9b145faf5796dffdd4e3b6a0635e56a Mon Sep 17 00:00:00 2001
From: P4T12ICK <patrickbareiss1989@gmail.com>
Date: Wed, 12 Nov 2025 14:41:28 +0100
Subject: [PATCH 2/3] Add YAML metadata for T1003.003

---
 .../credential-dumping-via-symlink.yml             | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml

diff --git a/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml
new file mode 100644
index 00000000..5a7e574e
--- /dev/null
+++ b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml
@@ -0,0 +1,14 @@
+author: PB
+id: b6ed453c-c5e3-496f-b6f7-7dc365e984ba
+date: '2025-11-12'
+description: Attack data for detection Credential Dumping via Symlink to Shadow Copy
+  New
+environment: attack_range
+directory: credential-dumping-via-symlink
+mitre_technique:
+- T1003.003
+datasets:
+- name: data
+  path: datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

From 7025ef3cdbec908b846cfcb84e3bb157b7fe0901 Mon Sep 17 00:00:00 2001
From: P4T12ICK <patrickbareiss1989@gmail.com>
Date: Wed, 12 Nov 2025 14:41:29 +0100
Subject: [PATCH 3/3] Add attack data for T1003.003

---
 .../T1003.003/credential-dumping-via-symlink/data.log          | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log

diff --git a/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log
new file mode 100644
index 00000000..4dfa391f
--- /dev/null
+++ b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:263b56afa1db376866d4fa029d4e57a3084d408731473fcff28529f8dfb392c5
+size 11161