From 9ff045c51e0ea1dfcf7ae1609f2c01f32f2e6731 Mon Sep 17 00:00:00 2001
From: Steven Dick <38897662+nterl0k@users.noreply.github.com>
Date: Mon, 6 Jan 2025 11:30:58 -0500
Subject: [PATCH] initial upload

---
 .../rdp/query_remote_usage/query_remote_usage.log    |  3 +++
 .../rdp/query_remote_usage/query_remote_usage.yml    | 12 ++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.log
 create mode 100644 datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.yml

diff --git a/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.log b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.log
new file mode 100644
index 00000000..92aabd26
--- /dev/null
+++ b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c0abb08c7fd7ef9a21251f059932a16813c2fdad9c6cb05a0389fcd6aa166820
+size 8122
diff --git a/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.yml b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.yml
new file mode 100644
index 00000000..d9864ea8
--- /dev/null
+++ b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.yml
@@ -0,0 +1,12 @@
+author: Steven Dick
+id: d5ce6a18-1de6-4351-9148-f81d47ae2a44
+date: '2025-01-06'
+description: 'A set of events related the usage of query.exe on remote devices.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://attack.mitre.org/techniques/T1033/
+- https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3
\ No newline at end of file