From 85408297c64f2eb1aab7fe9553efb84d797641c6 Mon Sep 17 00:00:00 2001
From: Teoderick Contreras <tcontreras@splunk.com>
Date: Mon, 20 Apr 2026 16:37:58 +0200
Subject: [PATCH] vip_env

---
 .../vip_env_var_execution/env_vip_pwh_intl.log      |  3 +++
 .../vip_env_var_execution/vip_env_var_execution.yml | 13 +++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 datasets/attack_techniques/T1059.001/vip_env_var_execution/env_vip_pwh_intl.log
 create mode 100644 datasets/attack_techniques/T1059.001/vip_env_var_execution/vip_env_var_execution.yml

diff --git a/datasets/attack_techniques/T1059.001/vip_env_var_execution/env_vip_pwh_intl.log b/datasets/attack_techniques/T1059.001/vip_env_var_execution/env_vip_pwh_intl.log
new file mode 100644
index 00000000..1d93920f
--- /dev/null
+++ b/datasets/attack_techniques/T1059.001/vip_env_var_execution/env_vip_pwh_intl.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:753422f11067b2d865601462f1eb2609c8e33e09e3f4fe1eecc5d67ff964948a
+size 22781
diff --git a/datasets/attack_techniques/T1059.001/vip_env_var_execution/vip_env_var_execution.yml b/datasets/attack_techniques/T1059.001/vip_env_var_execution/vip_env_var_execution.yml
new file mode 100644
index 00000000..1a83e559
--- /dev/null
+++ b/datasets/attack_techniques/T1059.001/vip_env_var_execution/vip_env_var_execution.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: 47f8b9ce-3cc6-11f1-99d5-629be353806a
+date: '2026-04-20'
+description: Generated datasets for vip env var execution in attack range.
+environment: attack_range
+directory: vip_env_var_execution
+mitre_technique:
+- T1059.001
+datasets:
+- name: env_vip_pwh_intl.log
+  path: /datasets/attack_techniques/T1059.001/vip_env_var_execution/env_vip_pwh_intl.log
+  sourcetype: 'XmlWinEventLog'
+  source: 'XmlWinEventLog:Microsoft-Windows-PowerShell/Operational'
\ No newline at end of file