add regression test

Author: swachchhanda000

regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-04T07:01:44.982629Z"
+        }
+      },
+      "EventRecordID": 27923,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3116,
+          "ThreadID": 1656
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-04 07:01:44.963",
+      "ProcessGuid": "0197231E-31D8-6931-7209-000000000900",
+      "ProcessId": 13752,
+      "Image": "C:\\Windows\\System32\\cmd.exe",
+      "FileVersion": "10.0.26100.2454 (WinBuild.160101.0800)",
+      "Description": "Windows Command Processor",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "Cmd.Exe",
+      "CommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"start /b /min C:\\Users\\xodih\\Music\\random.vbs\"",
+      "CurrentDirectory": "C:\\WINDOWS\\system32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-BBFB-692F-3C8C-050000000000",
+      "LogonId": "0x58c3c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=352B525E9C26CB92693899528FE007C2,SHA256=1F1D918EC49E0B7C59B704FF412E1A6E224DA81C08CDA657E1CB482ABAAC146C,IMPHASH=94F3EFC2DF40ECD7229B904540DD83CF",
+      "ParentProcessGuid": "0197231E-BBFF-692F-8200-000000000900",
+      "ParentProcessId": 5200,
+      "ParentImage": "C:\\Windows\\explorer.exe",
+      "ParentCommandLine": "C:\\WINDOWS\\Explorer.EXE",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json

@@ -0,0 +1,12 @@
+id: d813db34-f7f0-4713-a419-b491701aa1d1
+description: N/A
+date: 2025-12-04
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
+      title: Cmd Launched with Hidden Start Flags to Suspicious Targets
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx

regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml

@@ -76,3 +76,4 @@ falsepositives:
     - Legitimate administrative scripts running from temporary folders.
     - Niche software updaters utilizing hidden batch files in ProgramData.
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml