From 298b1801261d3bfeb3d2bcbce2ac3227ba7280f3 Mon Sep 17 00:00:00 2001
From: MHaggis <5632822+MHaggis@users.noreply.github.com>
Date: Mon, 2 Feb 2026 16:01:30 -0700
Subject: [PATCH] Lotus Blossom

---
 .../T1059.005/lotus_blossom_chrysalis/dataset.yml   | 13 +++++++++++++
 .../lotus_blossom_chrysalis/windows-sysmon.log      |  3 +++
 .../T1543.003/lotus_blossom_chrysalis/dataset.yml   | 13 +++++++++++++
 .../lotus_blossom_chrysalis/windows-system.log      |  3 +++
 .../T1574.002/lotus_blossom_chrysalis/dataset.yml   | 13 +++++++++++++
 .../lotus_blossom_chrysalis/windows-sysmon.log      |  3 +++
 6 files changed, 48 insertions(+)
 create mode 100644 datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/dataset.yml
 create mode 100644 datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log
 create mode 100644 datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/dataset.yml
 create mode 100644 datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log
 create mode 100644 datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/dataset.yml
 create mode 100644 datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log

diff --git a/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/dataset.yml b/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/dataset.yml
new file mode 100644
index 00000000..9532c5f8
--- /dev/null
+++ b/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/dataset.yml
@@ -0,0 +1,13 @@
+author: Michael Haag, Splunk
+id: 5010d236-00a5-434f-bfeb-20af07d478aa
+date: '2026-02-02'
+description: Lotus Blossom TinyCC shellcode execution simulation. Svchost.exe executed with TinyCC compiler flags (-nostdlib -run) to simulate Chrysalis backdoor's shellcode compilation technique.
+environment: attack_range
+directory: lotus_blossom_chrysalis
+mitre_technique:
+- T1059.005
+datasets:
+- name: windows-sysmon.log
+  path: /datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log b/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log
new file mode 100644
index 00000000..702252bb
--- /dev/null
+++ b/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cb5ea7112ec60ef8c6c4abfe3f2d5eccb0d7e8435e0da8ffdc7ff276878e7caf
+size 4713
diff --git a/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/dataset.yml b/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/dataset.yml
new file mode 100644
index 00000000..cc4f6ae4
--- /dev/null
+++ b/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/dataset.yml
@@ -0,0 +1,13 @@
+author: Michael Haag, Splunk
+id: bfab9adc-3767-487a-87cd-35f1a7cd8706
+date: '2026-02-02'
+description: Lotus Blossom BluetoothService persistence test execution. Service created in user AppData directory for persistence.
+environment: attack_range
+directory: lotus_blossom_chrysalis
+mitre_technique:
+- T1543.003
+datasets:
+- name: windows-system.log
+  path: /datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log
+  sourcetype: XmlWinEventLog:System
+  source: XmlWinEventLog:System
diff --git a/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log b/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log
new file mode 100644
index 00000000..e26af2b8
--- /dev/null
+++ b/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a93c337278af4bd34e2cb4ebebf32144a6827d40f760d0ecb6dbd80be2370f8e
+size 2326
diff --git a/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/dataset.yml b/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/dataset.yml
new file mode 100644
index 00000000..e81e3fc8
--- /dev/null
+++ b/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/dataset.yml
@@ -0,0 +1,13 @@
+author: Michael Haag, Splunk
+id: 66eb3815-e429-4bc2-a8f1-e3ea8bc7e8c2
+date: '2026-02-02'
+description: Lotus Blossom Bitdefender DLL side-loading test execution. Rundll32.exe loading malicious log.dll from user directory mimicking Bitdefender Submission Wizard abuse.
+environment: attack_range
+directory: lotus_blossom_chrysalis
+mitre_technique:
+- T1574.002
+datasets:
+- name: windows-sysmon.log
+  path: /datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log b/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log
new file mode 100644
index 00000000..e00a305f
--- /dev/null
+++ b/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:66dad57f32a2178a924c5742ac7b68fa74d745d9efb8ac7796067e3464b9307c
+size 9226