diff --git a/datasets/attack_techniques/T1068/bluehammer/bluehammer.yml b/datasets/attack_techniques/T1068/bluehammer/bluehammer.yml
new file mode 100644
index 00000000..96721461
--- /dev/null
+++ b/datasets/attack_techniques/T1068/bluehammer/bluehammer.yml
@@ -0,0 +1,18 @@
+author: Raven Tait, Splunk
+id: 430623fe-f2ec-42a1-9015-41077aa40f74
+date: '2026-04-27'
+description: Generated datasets for Bluehammer privilege escalation
+    in attack range.
+environment: attack_range
+directory: snapattack
+mitre_technique:
+- T1068
+datasets:
+-   name: windows-security
+    sourcetype: XmlWinEventLog
+    source: XmlWinEventLog:Security
+    path: /datasets/attack_techniques/T1068/bluehammer/windows-security.log
+-   name: windows-sysmon
+    sourcetype: XmlWinEventLog
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    path: /datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log
diff --git a/datasets/attack_techniques/T1068/bluehammer/windows-security.log b/datasets/attack_techniques/T1068/bluehammer/windows-security.log
new file mode 100644
index 00000000..0ecd9d46
--- /dev/null
+++ b/datasets/attack_techniques/T1068/bluehammer/windows-security.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b8eb42204e28a818de619ba3ec78504e0252c08863ea71d5b672cbf58174c563
+size 1105
diff --git a/datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log b/datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log
new file mode 100644
index 00000000..27fd0a8e
--- /dev/null
+++ b/datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2a350bcb6ca3827f1deaf57e415a188807331e49af3a38c5335e58928afef19f
+size 6109