diff --git a/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log b/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log
index ac899c57..74b64fa7 100644
--- a/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log
+++ b/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:2cf81658ebba24d30c16ae41b9f717a957cf8c8cc55a825e46a70b5cb3b4829f
-size 3921
+oid sha256:7bf9e6a750c86f2baeb9e49cfc3f1f8172864abb90f6be5ba68525890689b7a8
+size 10491
diff --git a/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml b/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml
index 8b4439fa..67e4fb6e 100644
--- a/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml
+++ b/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml
@@ -7,9 +7,11 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/zeek-dce_rpc.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/windows-security.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/windows-directory_service.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log
 sourcetypes:
 - bro:dce_rpc:json
 - WinEventLog
+- XmlWinEventLog
 references:
 - https://adsecurity.org/?p=1729
 - https://attack.mitre.org/techniques/T1003/006
diff --git a/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log b/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log
new file mode 100644
index 00000000..37d693d3
--- /dev/null
+++ b/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a6aae604a62bc25f84851071a28b5acf63bb23a7246749f38d69bf0b180ed2b2
+size 16106
diff --git a/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log b/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
index 424d9d90..4744b862 100644
--- a/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
+++ b/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:22c1effa1eb90fa371477ad356df669c0086df4a863ae9ed5edcedd2033238d2
-size 507721
+oid sha256:d989f2eea18d026813b3123a57cd625d3066fdd5b9f2ed0c93dfc596dc4f1fa1
+size 508813
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml
new file mode 100644
index 00000000..a7fb64a9
--- /dev/null
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml
@@ -0,0 +1,18 @@
+author: Dean Luxton
+id: 809e0d76-4d6a-46d9-ba5d-0b4a838bb98a
+date: '2023-12-06'
+description: Collection of various DACL abuse events generated manually in Active Directory. 
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://happycamper84.medium.com/sneaky-persistence-via-hidden-objects-in-ad-1c91fc37bf54
+- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log b/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log
new file mode 100644
index 00000000..bc16c9df
--- /dev/null
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6fa77314a8cc4c7e1dfb6d82bf68e0c94bc2be5cd7a44eee408bbfe6827bb1c7
+size 7468
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log b/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log
new file mode 100644
index 00000000..43f46ce8
--- /dev/null
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3f6ecb2972b617b25c954b6070be5b6e3dbd3ddbf1cb84c764fcc7a72fd9442c
+size 7473
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log b/datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log
new file mode 100644
index 00000000..ac37a3c0
--- /dev/null
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9ff48e8fcab46aa8aad08ef716cdb90170c3cdf31f9a334e540d2d17648506f3
+size 17643
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log b/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log
new file mode 100644
index 00000000..98bd5539
--- /dev/null
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e18a16c790a313520b9ad1e520c088cb616068c2d2cfdd26b7f497b599c51b4b
+size 14899
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log b/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log
new file mode 100644
index 00000000..2ac58f1b
--- /dev/null
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bc93baaea9c8e66f2602f128074683e6b69b6e0c8206f93ab816f4786e38b67b
+size 6456
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log b/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log
new file mode 100644
index 00000000..098258ba
--- /dev/null
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0bcca6d39b07bb0aa99c7e2ce9239f24dae82282c014b618b74687f7d320121b
+size 10217
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log b/datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log
new file mode 100644
index 00000000..055bedb2
--- /dev/null
+++ b/datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0fc9b1cd976eff8d6f80a3a9d0e1442eddde2287f89ada10a29ff66e56338d34
+size 7781
diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml b/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml
new file mode 100644
index 00000000..ba6d6129
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml
@@ -0,0 +1,16 @@
+author: Dean Luxton
+id: eaf30c7d-bff6-4273-8d5e-83154ffe25d0
+date: '2023-12-18'
+description: Manual Group Policy Object modification on a domain controller.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_deletion_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_disabled_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_new_cse_windows-security-xml.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://github.com/PowerShellMafia/PowerSploit/blob/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1#L5907-L6122
+- https://wald0.com/?p=179
+- https://learn.microsoft.com/en-gb/archive/blogs/mempson/group-policy-client-side-extension-list
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log b/datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log
new file mode 100644
index 00000000..7e3cc524
--- /dev/null
+++ b/datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fb57d94637f0e10b80eff6dd414bc6eec20dd9418f41fc56e42ad8c19bb55cae
+size 395516
diff --git a/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log b/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log
index 695d0352..4ef047ed 100644
--- a/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log
+++ b/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:96cb4214dc4de61adf35e1146e63f2c98c85759044ed65f566236504c64476e2
-size 10782
+oid sha256:b827c898ec8db09639be632c9893f06a2ff5807243407a73ba15ba10e528f818
+size 16319