From 98f992283d32dc5b86f85c03b3f5cfd73dc663d5 Mon Sep 17 00:00:00 2001
From: Teoderick Contreras <tcontreras@splunk.com>
Date: Fri, 14 Nov 2025 14:31:59 +0100
Subject: [PATCH] netsupport

---
 ...asquerading_executable_as_non_exec_file_type.yml | 13 +++++++++++++
 .../non_exec_ext_but_exec_detected.log              |  3 +++
 .../T1036/netsupport_modules/net_support_module.log |  3 +++
 .../T1036/netsupport_modules/netsupport_modules.yml | 13 +++++++++++++
 .../T1112/delete_runmru_reg/delete_runmru_reg.yml   | 13 +++++++++++++
 .../T1112/delete_runmru_reg/runmru_deletion.log     |  3 +++
 6 files changed, 48 insertions(+)
 create mode 100644 datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/masquerading_executable_as_non_exec_file_type.yml
 create mode 100644 datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/non_exec_ext_but_exec_detected.log
 create mode 100644 datasets/attack_techniques/T1036/netsupport_modules/net_support_module.log
 create mode 100644 datasets/attack_techniques/T1036/netsupport_modules/netsupport_modules.yml
 create mode 100644 datasets/attack_techniques/T1112/delete_runmru_reg/delete_runmru_reg.yml
 create mode 100644 datasets/attack_techniques/T1112/delete_runmru_reg/runmru_deletion.log

diff --git a/datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/masquerading_executable_as_non_exec_file_type.yml b/datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/masquerading_executable_as_non_exec_file_type.yml
new file mode 100644
index 00000000..9ee12374
--- /dev/null
+++ b/datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/masquerading_executable_as_non_exec_file_type.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: 0f2d6b50-c15e-11f0-8cf9-629be353806a
+date: '2025-11-14'
+description: Generated datasets for masquerading executable as non exec file type in attack range.
+environment: attack_range
+directory: masquerading_executable_as_non_exec_file_type
+mitre_technique:
+- T1036.008
+datasets:
+- name: non_exec_ext_but_exec_detected.log
+  path: /datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/non_exec_ext_but_exec_detected.log
+  sourcetype: 'XmlWinEventLog'
+  source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/non_exec_ext_but_exec_detected.log b/datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/non_exec_ext_but_exec_detected.log
new file mode 100644
index 00000000..b0f15ed9
--- /dev/null
+++ b/datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/non_exec_ext_but_exec_detected.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eca1f193a3e5a521550ee6def74a333423ecba0e0666632971d64c7e6fb25ceb
+size 11937
diff --git a/datasets/attack_techniques/T1036/netsupport_modules/net_support_module.log b/datasets/attack_techniques/T1036/netsupport_modules/net_support_module.log
new file mode 100644
index 00000000..666a7968
--- /dev/null
+++ b/datasets/attack_techniques/T1036/netsupport_modules/net_support_module.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8dfcc5222a610c12eebbbd305ef33779f6e454b3e5c7d4ed30f078b1389ff9bc
+size 7793
diff --git a/datasets/attack_techniques/T1036/netsupport_modules/netsupport_modules.yml b/datasets/attack_techniques/T1036/netsupport_modules/netsupport_modules.yml
new file mode 100644
index 00000000..2c8b1631
--- /dev/null
+++ b/datasets/attack_techniques/T1036/netsupport_modules/netsupport_modules.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: ddd747f6-c15d-11f0-8cf9-629be353806a
+date: '2025-11-14'
+description: Generated datasets for netsupport modules in attack range.
+environment: attack_range
+directory: netsupport_modules
+mitre_technique:
+- T1036
+datasets:
+- name: net_support_module.log
+  path: /datasets/attack_techniques/T1036/netsupport_modules/net_support_module.log
+  sourcetype: 'XmlWinEventLog'
+  source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1112/delete_runmru_reg/delete_runmru_reg.yml b/datasets/attack_techniques/T1112/delete_runmru_reg/delete_runmru_reg.yml
new file mode 100644
index 00000000..41df1f6e
--- /dev/null
+++ b/datasets/attack_techniques/T1112/delete_runmru_reg/delete_runmru_reg.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: 24e060c4-c15e-11f0-8cf9-629be353806a
+date: '2025-11-14'
+description: Generated datasets for delete runmru reg in attack range.
+environment: attack_range
+directory: delete_runmru_reg
+mitre_technique:
+- T1112
+datasets:
+- name: runmru_deletion.log
+  path: /datasets/attack_techniques/T1112/delete_runmru_reg/runmru_deletion.log
+  sourcetype: 'XmlWinEventLog'
+  source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1112/delete_runmru_reg/runmru_deletion.log b/datasets/attack_techniques/T1112/delete_runmru_reg/runmru_deletion.log
new file mode 100644
index 00000000..fa389a2f
--- /dev/null
+++ b/datasets/attack_techniques/T1112/delete_runmru_reg/runmru_deletion.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:32fb866c1e62fd57d01a78ecb6a2114f8327e6bfcbc06d132e980e046efe6e4d
+size 13237