Skip to content

Commit

Permalink
Fixed golden
Browse files Browse the repository at this point in the history
  • Loading branch information
@scudette
scudette committed Jan 23, 2024
1 parent 03b1134 commit db8f4f8
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions tests/testcases/hayabusa_windows.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
"Level": "low",
"Title": "Possible Timestomping",
"RecordID": 10147,
"Details": "Path: C:\\Users\\IEUser\\AppData\\Local\\Temp\\302a23.msi ¦ Proc: C:\\Windows\\System32\\msiexec.exe ¦ User: null ¦ CreateTime: CreationUtcTime ¦ PrevTime: PreviousCreationUtcTime ¦ PID: PID ¦ PGUID: 365ABB72-D0DA-5CC8-0000-00109B5A3C00",
"Details": "Path: C:\\Users\\IEUser\\AppData\\Local\\Temp\\302a23.msi ¦ Proc: C:\\Windows\\System32\\msiexec.exe ¦ User: User ¦ CreateTime: CreationUtcTime ¦ PrevTime: PreviousCreationUtcTime ¦ PID: PID ¦ PGUID: 365ABB72-D0DA-5CC8-0000-00109B5A3C00",
"_Event": {
"System": {
"Provider": {
Expand Down Expand Up @@ -59,7 +59,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
"Level": "low",
"Title": "Possible Timestomping",
"RecordID": 10149,
"Details": "Path: C:\\Windows\\Installer\\304d1c.msi ¦ Proc: C:\\Windows\\system32\\msiexec.exe ¦ User: null ¦ CreateTime: CreationUtcTime ¦ PrevTime: PreviousCreationUtcTime ¦ PID: PID ¦ PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00",
"Details": "Path: C:\\Windows\\Installer\\304d1c.msi ¦ Proc: C:\\Windows\\system32\\msiexec.exe ¦ User: User ¦ CreateTime: CreationUtcTime ¦ PrevTime: PreviousCreationUtcTime ¦ PID: PID ¦ PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00",
"_Event": {
"System": {
"Provider": {
Expand Down Expand Up @@ -111,7 +111,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
"Level": "informational",
"Title": "Reg Key Value Set (Noisy)",
"RecordID": 10150,
"Details": "EventType: SetValue ¦ TgtObj: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\InProgress\\(Default): C:\\Windows\\Installer\\304d1d.ipi ¦ Proc: C:\\Windows\\system32\\msiexec.exe ¦ PID: 2080 ¦ PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00",
"Details": "EventType: SetValue ¦ TgtObj: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\InProgress\\(Default): C:\\Windows\\Installer\\304d1d.ipi ¦ Proc: C:\\Windows\\system32\\msiexec.exe ¦ PID: ProcessId ¦ PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00",
"_Event": {
"System": {
"Provider": {
Expand Down Expand Up @@ -163,7 +163,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
"Level": "high",
"Title": "Proc Exec (Non-Exe Filetype)",
"RecordID": 10151,
"Details": "Cmdline: \"C:\\Windows\\Installer\\MSI4FFD.tmp\" ¦ Proc: C:\\Windows\\Installer\\MSI4FFD.tmp ¦ User: IEWIN7\\IEUser ¦ ParentCmdline: C:\\Windows\\system32\\msiexec.exe /V ¦ LID: 65508 ¦ LGUID: LogonGuid ¦ PID: 3680 ¦ PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 ¦ ParentPID: ParentProcessId ¦ ParentPGUID: ParentProcessGuid ¦ Description: ApacheBench command line utility ¦ Product: Apache HTTP Server ¦ Company: Apache Software Foundation ¦ Hashes: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",
"Details": "Cmdline: \"C:\\Windows\\Installer\\MSI4FFD.tmp\" ¦ Proc: C:\\Windows\\Installer\\MSI4FFD.tmp ¦ User: IEWIN7\\IEUser ¦ ParentCmdline: C:\\Windows\\system32\\msiexec.exe /V ¦ LID: LogonId ¦ LGUID: LogonGuid ¦ PID: ProcessId ¦ PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 ¦ ParentPID: ParentProcessId ¦ ParentPGUID: ParentProcessGuid ¦ Description: ApacheBench command line utility ¦ Product: Apache HTTP Server ¦ Company: Apache Software Foundation ¦ Hashes: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",
"_Event": {
"System": {
"Provider": {
Expand Down Expand Up @@ -228,7 +228,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
"Level": "informational",
"Title": "DLL Loaded (Noisy)",
"RecordID": 10152,
"Details": "Image: C:\\Windows\\System32\\vbscript.dll ¦ Proc: C:\\Windows\\System32\\msiexec.exe ¦ Description: Microsoft ® VBScript ¦ Product: Microsoft ® VBScript ¦ Company: Microsoft Corporation ¦ Signed: true ¦ Sig: Valid ¦ PID: 2168 ¦ PGUID: 365ABB72-D0E4-5CC8-0000-001022B53E00 ¦ Hash: SHA1=BCF66BE6C4D4FB0775E199C32EE2154AAC97F901,MD5=D4C89F6BCCC04D43BAC82F795A552DA5,SHA256=F7F7BF8C86CD2C6A27D20076B5713FBD60647CE0716DFEC0BB65895E92AE0830,IMPHASH=9F8EEA636265FC0065E869A2EAEFE7AF ¦ OrigFilename: null",
"Details": "Image: C:\\Windows\\System32\\vbscript.dll ¦ Proc: C:\\Windows\\System32\\msiexec.exe ¦ Description: Microsoft ® VBScript ¦ Product: Microsoft ® VBScript ¦ Company: Microsoft Corporation ¦ Signed: true ¦ Sig: Valid ¦ PID: ProcessId ¦ PGUID: 365ABB72-D0E4-5CC8-0000-001022B53E00 ¦ Hash: SHA1=BCF66BE6C4D4FB0775E199C32EE2154AAC97F901,MD5=D4C89F6BCCC04D43BAC82F795A552DA5,SHA256=F7F7BF8C86CD2C6A27D20076B5713FBD60647CE0716DFEC0BB65895E92AE0830,IMPHASH=9F8EEA636265FC0065E869A2EAEFE7AF ¦ OrigFilename: OriginalFilename",
"_Event": {
"System": {
"Provider": {
Expand Down

0 comments on commit db8f4f8

Please sign in to comment.