From 5111ec62b449e538d9d3401be042299505305e04 Mon Sep 17 00:00:00 2001
From: Steven Dick <38897662+nterl0k@users.noreply.github.com>
Date: Thu, 13 Feb 2025 19:35:32 -0500
Subject: [PATCH] Uploading

---
 .../compattelrunner_abuse/compattelrunner_abuse.log |  3 +++
 .../compattelrunner_abuse/compattelrunner_abuse.yml | 13 +++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 datasets/attack_techniques/T1546/adminsdholder_modified/compattelrunner_abuse/compattelrunner_abuse.log
 create mode 100644 datasets/attack_techniques/T1546/adminsdholder_modified/compattelrunner_abuse/compattelrunner_abuse.yml

diff --git a/datasets/attack_techniques/T1546/adminsdholder_modified/compattelrunner_abuse/compattelrunner_abuse.log b/datasets/attack_techniques/T1546/adminsdholder_modified/compattelrunner_abuse/compattelrunner_abuse.log
new file mode 100644
index 00000000..c1c963af
--- /dev/null
+++ b/datasets/attack_techniques/T1546/adminsdholder_modified/compattelrunner_abuse/compattelrunner_abuse.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cda644f8c240f802ab174acbf006da9e15ff91051d8a8dfa6d10793999f18805
+size 19166
diff --git a/datasets/attack_techniques/T1546/adminsdholder_modified/compattelrunner_abuse/compattelrunner_abuse.yml b/datasets/attack_techniques/T1546/adminsdholder_modified/compattelrunner_abuse/compattelrunner_abuse.yml
new file mode 100644
index 00000000..12edf054
--- /dev/null
+++ b/datasets/attack_techniques/T1546/adminsdholder_modified/compattelrunner_abuse/compattelrunner_abuse.yml
@@ -0,0 +1,13 @@
+author: Steven Dick
+id: fcb9a608-5ccd-4106-a277-089d03277b0d
+date: '2025-02-10'
+description: 'Sample events for CompatTelRunner abuse.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://attack.mitre.org/techniques/T1546/
+- https://scythe.io/threat-thursday/windows-telemetry-persistence
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
\ No newline at end of file