From 0ff7f1ec26bf3c07bbf5e42e436d7ae12ad4eeaf Mon Sep 17 00:00:00 2001
From: Raven Tait <rmtait@cisco.com>
Date: Mon, 23 Mar 2026 14:10:21 -0400
Subject: [PATCH] First test data for snap conversion

---
 .../T1491/snapattack/snapattack.log                |  3 +++
 .../T1491/snapattack/snapattack.yml                | 14 ++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 datasets/attack_techniques/T1491/snapattack/snapattack.log
 create mode 100644 datasets/attack_techniques/T1491/snapattack/snapattack.yml

diff --git a/datasets/attack_techniques/T1491/snapattack/snapattack.log b/datasets/attack_techniques/T1491/snapattack/snapattack.log
new file mode 100644
index 00000000..55abaecf
--- /dev/null
+++ b/datasets/attack_techniques/T1491/snapattack/snapattack.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3dacab92adb8b808d1558ac0b1b9b749e4b00aa7b7581fe6649748817d28a758
+size 4252
diff --git a/datasets/attack_techniques/T1491/snapattack/snapattack.yml b/datasets/attack_techniques/T1491/snapattack/snapattack.yml
new file mode 100644
index 00000000..ae402f5c
--- /dev/null
+++ b/datasets/attack_techniques/T1491/snapattack/snapattack.yml
@@ -0,0 +1,14 @@
+author: Raven Tait, Splunk
+id: 4d3ff572-755b-474d-8239-4989c920ca93
+date: '2026-03-23'
+description: Generated datasets for Windows PowerShell Post Exploitation Common Keywords
+    in attack range.
+environment: attack_range
+directory: snapattack
+mitre_technique:
+- T1491
+datasets:
+-   name: snapattack
+    sourcetype: XmlWinEventLog
+    source: XmlWinEventLog:Security
+    path: /datasets/attack_techniques/T1491/snapattack/snaattack.log