diff --git a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log
new file mode 100644
index 00000000..f04eeb38
--- /dev/null
+++ b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d2ff8b475eaec6f05411043503cf210d126c15e6a747a8c5f5c5241af1b106f4
+size 8767
diff --git a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml
new file mode 100644
index 00000000..e6d4f1e0
--- /dev/null
+++ b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml
@@ -0,0 +1,13 @@
+author: Steven Dick
+id: 8d818c50-7925-4664-82c6-f8eb626d4c2f
+date: '2025-01-17'
+description: 'Sample of events from executing suspicious files from a recently attached USB drive.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://attack.mitre.org/techniques/T1200/
+- https://www.cisa.gov/news-events/news/using-caution-usb-drives
+- https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/
\ No newline at end of file