security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5857 from @swachchhanda000 - chore: add missing json logs

Browse Source 
chore: add missing json logs
This commit is contained in:
Swachchhanda Shrawan Poudel
2026-03-03 16:46:07 +05:45
committed by GitHub
parent 37fe8969ae
commit 3c2407864e
2 changed files with 118 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json
+66
View File
@@ -0,0 +1,66 @@
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-01-05T06:59:26.079827Z"
}
},
"EventRecordID": 75087,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3636,
"ThreadID": 4340
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-01-05 06:59:26.059",
"ProcessGuid": "0197231E-614E-695B-DC0C-000000000C00",
"ProcessId": 11680,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "\"C:\\WINDOWS\\system32\\reg.exe\" add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v \"Common Startup\" /t REG_SZ /d C:\\Test\\calc.exe /f",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-70FA-694F-AED1-150000000000",
"LogonId": "0x15d1ae",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0",
"ParentProcessGuid": "0197231E-7211-694F-D001-000000000C00",
"ParentProcessId": 9524,
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ParentCommandLine": "powershell -ep bypass",
"ParentUser": "swachchhanda\\xodih"
}
}
}
regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/9c226817-8dc9-46c2-a58d-66655aafd7dc.json
+52
View File
@@ -0,0 +1,52 @@
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-01-05T06:29:01.086253Z"
}
},
"EventRecordID": 74886,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3636,
"ThreadID": 4340
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2026-01-05 06:29:01.070",
"ProcessGuid": "0197231E-7211-694F-D001-000000000C00",
"ProcessId": 9524,
"Image": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup",
"Details": "C:\\Test\\calc.exe",
"User": "swachchhanda\\xodih"
}
}
}