Add vmtoolsd execution

RavenTait · RavenTait · commit f9504ae9e881 · 2025-07-30T14:12:48.000-04:00
diff --git a/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.log b/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cdb0794700ffe957bbf8914768c60f43eaf3261c7c2f8c1c06d7c01e60f6be25
+size 2385
diff --git a/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml b/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml
@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 45640c5f-9ef7-4d93-aa3e-2bc188d0be0a
+date: '2025-07-30'
+description: 'Sample of Sysmon events showing execution of commands on a host via VMWare Tools.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/vmtoolsd_execution/vmtoolsd_execution.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://attack.mitre.org/techniques/T1059

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:cdb0794700ffe957bbf8914768c60f43eaf3261c7c2f8c1c06d7c01e60f6be25`
	`3`	`+size 2385`