diff --git a/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.log b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.log
new file mode 100644
index 00000000..92aabd26
--- /dev/null
+++ b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c0abb08c7fd7ef9a21251f059932a16813c2fdad9c6cb05a0389fcd6aa166820
+size 8122
diff --git a/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.yml b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.yml
new file mode 100644
index 00000000..d9864ea8
--- /dev/null
+++ b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.yml
@@ -0,0 +1,12 @@
+author: Steven Dick
+id: d5ce6a18-1de6-4351-9148-f81d47ae2a44
+date: '2025-01-06'
+description: 'A set of events related the usage of query.exe on remote devices.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://attack.mitre.org/techniques/T1033/
+- https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3
\ No newline at end of file