Enrich LSASS and scheduled task fixtures

Author: kbugra

tests/dataset/T1053.005_Scheduled_Task_Persistence/schtasks_create.json

@@ -1 +1,46 @@
-{"EventID": 1, "ProviderGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "Image": "C:\\Windows\\System32\\schtasks.exe", "CommandLine": "schtasks.exe /create /tn \"WindowsUpdate\" /tr \"C:\\Windows\\Temp\\malware.exe\" /sc onstart /ru System", "User": "NT AUTHORITY\\SYSTEM", "ProcessId": 2048, "ParentImage": "C:\\Windows\\System32\\cmd.exe", "UtcTime": "2023-10-25 16:45:12.000", "Computer": "WORKSTATION-01.local"}
+[
+  {
+    "EventID": 1,
+    "ProviderGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+    "Image": "C:\\Windows\\System32\\cmd.exe",
+    "CommandLine": "cmd.exe /c schtasks.exe /create /tn \"WindowsUpdate\" /tr \"C:\\Windows\\Temp\\malware.exe\" /sc onstart /ru System",
+    "User": "NT AUTHORITY\\SYSTEM",
+    "ProcessId": 2020,
+    "ParentImage": "C:\\Windows\\System32\\services.exe",
+    "UtcTime": "2023-10-25 16:45:10.000",
+    "Computer": "WORKSTATION-01.local"
+  },
+  {
+    "EventID": 1,
+    "ProviderGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+    "Image": "C:\\Windows\\System32\\schtasks.exe",
+    "CommandLine": "schtasks.exe /query /tn \"MicrosoftEdgeUpdateTaskMachineCore\"",
+    "User": "NT AUTHORITY\\SYSTEM",
+    "ProcessId": 2032,
+    "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+    "UtcTime": "2023-10-25 16:45:11.000",
+    "Computer": "WORKSTATION-01.local"
+  },
+  {
+    "EventID": 1,
+    "ProviderGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+    "Image": "C:\\Windows\\System32\\schtasks.exe",
+    "CommandLine": "schtasks.exe /create /tn \"WindowsUpdate\" /tr \"C:\\Windows\\Temp\\malware.exe\" /sc onstart /ru System",
+    "User": "NT AUTHORITY\\SYSTEM",
+    "ProcessId": 2048,
+    "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+    "UtcTime": "2023-10-25 16:45:12.000",
+    "Computer": "WORKSTATION-01.local"
+  },
+  {
+    "EventID": 1,
+    "ProviderGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+    "Image": "C:\\Windows\\Temp\\malware.exe",
+    "CommandLine": "\"C:\\Windows\\Temp\\malware.exe\"",
+    "User": "NT AUTHORITY\\SYSTEM",
+    "ProcessId": 2216,
+    "ParentImage": "C:\\Windows\\System32\\taskeng.exe",
+    "UtcTime": "2023-10-25 16:46:00.000",
+    "Computer": "WORKSTATION-01.local"
+  }
+]

tests/dataset/mordor_lsass_dump.json

@@ -1,12 +1,50 @@
-{
+[
+  {
+    "EventID": 1,
+    "Channel": "Microsoft-Windows-Sysmon/Operational",
+    "Computer": "DESKTOP-THREAT-LAB",
+    "EventData": {
+      "Image": "C:\\Temp\\mimikatz.exe",
+      "CommandLine": "mimikatz.exe \"sekurlsa::logonpasswords\" exit",
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "User": "THREAT-LAB\\operator",
+      "ProcessId": "4124",
+      "ParentProcessId": "3988"
+    }
+  },
+  {
     "EventID": 10,
     "Channel": "Microsoft-Windows-Sysmon/Operational",
     "Computer": "DESKTOP-THREAT-LAB",
     "EventData": {
-        "TargetImage": "C:\\Windows\\System32\\lsass.exe",
-        "GrantedAccess": "0x1010",
-        "SourceImage": "C:\\Temp\\mimikatz.exe",
-        "SourceProcessId": "4124",
-        "TargetProcessId": "652"
+      "TargetImage": "C:\\Windows\\System32\\lsass.exe",
+      "GrantedAccess": "0x1010",
+      "SourceImage": "C:\\Windows\\System32\\taskmgr.exe",
+      "SourceProcessId": "1220",
+      "TargetProcessId": "652"
+    }
+  },
+  {
+    "EventID": 10,
+    "Channel": "Microsoft-Windows-Sysmon/Operational",
+    "Computer": "DESKTOP-THREAT-LAB",
+    "EventData": {
+      "TargetImage": "C:\\Windows\\System32\\lsass.exe",
+      "GrantedAccess": "0x1010",
+      "SourceImage": "C:\\Temp\\mimikatz.exe",
+      "SourceProcessId": "4124",
+      "TargetProcessId": "652"
+    }
+  },
+  {
+    "EventID": 11,
+    "Channel": "Microsoft-Windows-Sysmon/Operational",
+    "Computer": "DESKTOP-THREAT-LAB",
+    "EventData": {
+      "TargetFilename": "C:\\Temp\\lsass_20260320.dmp",
+      "Image": "C:\\Temp\\mimikatz.exe",
+      "ProcessId": "4124",
+      "User": "THREAT-LAB\\operator"
     }
-}
+  }
+]