Skip to content
This repository has been archived by the owner on Apr 19, 2021. It is now read-only.

Commit

Permalink
Merge pull request #10 from jtaylo78/master
Browse files Browse the repository at this point in the history 
Sysmon RemoteThread ELSA parsers
  • Loading branch information
@dougburks
dougburks authored Jul 29, 2016
2 parents 53a1a80 + 5b9280c commit d246e64
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 1 deletion.
46 changes: 46 additions & 0 deletions contrib/parsers/windows
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,52 @@
<ruleset name="SYSMON" id='777'>
<pattern>ossec_archive</pattern>
<rules>

<!-- Create remote thread sysmon 3 and 3.10 -->
<rule provider="DefensiveDepth-SYSMON3" class='10777' id='10777'>
<patterns>
<pattern>@NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4::@->WinEvtLog @ESTRING::(@@NUMBER::):@): @ESTRING:::@ SYSTEM: NT AUTHORITY: @ESTRING:s0::@ @ESTRING:: SequenceNumber:@ @NUMBER::@ @ESTRING:: SourceProcessGuid:@ {@ESTRING:s1:}@ @ESTRING:: SourceImage: @@ESTRING:s2: TargetProcessGuid: {@@ESTRING:s3:}@@ESTRING:: TargetImage: @@ESTRING:s4: NewThreadId:@</pattern>
<pattern>@NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4::@->WinEvtLog @ESTRING::(@@NUMBER::):@): @ESTRING:::@ SYSTEM: NT AUTHORITY: @ESTRING:s0:: @@ESTRING:: SourceProcessGuid:@ {@ESTRING:s1:}@ @ESTRING:: SourceImage: @@ESTRING:s2: TargetProcessGuid: {@@ESTRING:s3:}@@ESTRING:: TargetImage: @@ESTRING:s4: NewThreadId:@@ESTRING:: StartAddress:@@ESTRING:: StartModule: @@ESTRING:s5: StartFunction:@</pattern>

</patterns>

<examples>
<example>
<test_message program="ossec_archive">2015 Jun 02 02:18:10 (windows7_x64) 192.168.142.6->WinEvtLog 2015 Jun 01 15:53:02 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(8): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-KTL39CHEPFC: CreateRemoteThread detected: SequenceNumber: 599 UtcTime: 6/1/2015 09:53:02.371 PM SourceProcessGuid: {F17228B0-CB16-556C-0000-0010A6A90000} SourceProcessId: 468 SourceImage: C:\Windows\System32\csrss.exe TargetProcessGuid: {F17228B0-CC30-556C-0000-0010B6510500} TargetProcessId: 1668 TargetImage: C:\Windows\System32\cmd.exe NewThreadId: 756</test_message>
<!-- host-->
<test_value name="s0">WIN-KTL39CHEPFC</test_value>
<!-- sourceprocessguid-->
<test_value name="s1">F17228B0-CB16-556C-0000-0010A6A90000</test_value>
<!-- sourceimage-->
<test_value name="s2">C:\Windows\System32\csrss.exe</test_value>
<!-- targetProcessGuid-->
<test_value name="s3">F17228B0-CC30-556C-0000-0010B6510500</test_value>
<!-- targetimage-->
<test_value name="s4">C:\Windows\System32\cmd.exe</test_value>

</example>
<example>
<test_message program="ossec_archive">2015 Aug 08 16:41:28 (james_dell) 192.168.1.101->WinEvtLog 2015 Aug 08 10:41:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(8): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: james-laptop: CreateRemoteThread detected: UtcTime: 2015-08-08 16:41:25.215 SourceProcessGuid: {16F5F390-BD09-55BF-0000-001019A80300} SourceProcessId: 2688 SourceImage: C:\Windows\System32\wbem\WmiPrvSE.exe TargetProcessGuid: {16F5F390-3135-55C6-0000-0010C123FC1A} TargetProcessId: 225012 TargetImage: C:\Windows\System32\wbem\WmiApSrv.exe NewThreadId: 226380 StartAddress: 0x00007FFE7EA30710 StartModule: C:\Windows\SYSTEM32\ntdll.dll StartFunction: </test_message>
<!-- host-->
<test_value name="s0">james-laptop</test_value>
<!-- sourceprocessguid-->
<test_value name="s1">16F5F390-BD09-55BF-0000-001019A80300</test_value>
<!-- sourceimage-->
<test_value name="s2">C:\Windows\System32\wbem\WmiPrvSE.exe</test_value>
<!-- targetProcessGuid-->
<test_value name="s3">16F5F390-3135-55C6-0000-0010C123FC1A</test_value>
<!-- targetimage-->
<test_value name="s4">C:\Windows\System32\wbem\WmiApSrv.exe</test_value>
<!-- startmodule -->
<test_value name="s5">C:\Windows\SYSTEM32\ntdll.dll</test_value>

</example>


</examples>
</rule>


<rule provider="DefensiveDepth" class='10778' id='10778'>
<patterns>
<pattern>@NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4::@->WinEvtLog @ESTRING::Microsoft-Windows-Sysmon/Operational: INFORMATION(1):@@ESTRING:::@@ESTRING:::@@ESTRING:::@ @ESTRING:s0::@@ESTRING::{@@ESTRING:s1:}@@ESTRING::Image: @@ESTRING:s2: CommandLine: @@ESTRING::CurrentDirectory: @@ESTRING::User: @@ESTRING:s3: LogonGuid:@@ESTRING::Hashes: @@ESTRING:s4: @@ESTRING::ParentImage: @@ESTRING:s5: ParentCommandLine:@</pattern>
Expand Down
20 changes: 19 additions & 1 deletion contrib/sql/sysmon.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,22 @@ INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES (
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_NETWORK"), (SELECT id FROM fields WHERE field="initiated"), 15);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_NETWORK"), (SELECT id FROM fields WHERE field="destip"), 16);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_NETWORK"), (SELECT id FROM fields WHERE field="sourceport"), 5);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_NETWORK"), (SELECT id FROM fields WHERE field="destport"), 6);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_NETWORK"), (SELECT id FROM fields WHERE field="destport"), 6);


/* Creates SYSMON_REMOTETHREAD Class & associated fields */
INSERT IGNORE INTO classes (id, class) VALUES (10777, "SYSMON_REMOTETHREAD");

INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("hostname","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("sourceprocessguid","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("sourceimage","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("targetprocessguid","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("targetimage","string", "QSTRING");
INSERT IGNORE INTO fields (field, field_type, pattern_type) VALUES ("startmodule","string", "QSTRING");

INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_REMOTETHREAD"), (SELECT id FROM fields WHERE field="hostname"), 11);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_REMOTETHREAD"), (SELECT id FROM fields WHERE field="sourceprocessguid"), 12);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_REMOTETHREAD"), (SELECT id FROM fields WHERE field="sourceimage"), 13);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_REMOTETHREAD"), (SELECT id FROM fields WHERE field="targetprocessguid"), 14);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_REMOTETHREAD"), (SELECT id FROM fields WHERE field="targetimage"), 15);
INSERT IGNORE INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SYSMON_REMOTETHREAD"), (SELECT id FROM fields WHERE field="startmodule"), 16);

0 comments on commit d246e64

Please sign in to comment.