diff --git a/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log
new file mode 100644
index 00000000..c5e3ab49
--- /dev/null
+++ b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:498b62af6fe8753e73d8973e4ff843aef2efca7a59d346d779d4258fddb258cb
+size 125338
diff --git a/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml
new file mode 100644
index 00000000..61627d00
--- /dev/null
+++ b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml
@@ -0,0 +1,13 @@
+author: Steven Dick
+id: 8c54662e-a3c8-456c-a8bb-928e6c13b641
+date: '2024-5-3'
+description: 'Some simple T1036.003 and T1036.005 tests using moved/renamed cmd.exe'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log
+sourcetypes:
+- xmlwineventlog
+references:
+- https://attack.mitre.org/techniques/T1036/
+- https://attack.mitre.org/techniques/T1036/003/
+- https://attack.mitre.org/techniques/T1036/005/
\ No newline at end of file