Hi Craig, the raw event is: 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1 .hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\administrator\Desktop\svchost.exe CommandLine: "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\ administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4- 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\ Explorer.EXE
but, OSSEC adds a header in archives.log: *2016 Jul 29 22:32:25 (WIN7-X64-PC1) 172.16.213.5->WinEvtLog *2016 Jul 29 22 :32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4- 1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\administrator \Desktop\svchost.exe CommandLine: "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\ administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4- 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\ Explorer.EXE So, you must always use *ossec-logtest* without headers: 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1 .hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\administrator\Desktop\svchost.exe CommandLine: "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\ administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4- 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\ Explorer.EXE **Phase 1: Completed pre-decoding. full event: '2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\administrator\Desktop\svchost.exe CommandLine: "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' hostname: 'ip-10-0-0-10' program_name: '(null)' log: '2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\administrator\Desktop\svchost.exe CommandLine: "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' **Phase 2: Completed decoding. decoder: 'windows' status: 'C:\Users\administrator\Desktop\svchost.exe' dstuser: 'HACKME\Administrator' url: 'C019D10F80409FC4C7D45EBFA48B0076' extra_data: 'C:\Windows\explorer.exe' **Phase 3: Completed filtering (rules). Rule id: '184666' Level: '12' Description: 'Sysmon - Suspicious Process - svchost.exe' **Alert to be generated. You can find decoders for all sysmon events here <https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L197> . On Monday, August 1, 2016 at 12:14:19 AM UTC+2, Craig wrote: > > Great, thank you. That does help troubleshoot. So, I do have a follow up > question. Here is the default decoder: > > <decoder name="Sysmon-EventID#1"> > <type>windows</type> > <prematch>INFORMATION\(1\)</prematch> > <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: > (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* > \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: > \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) > \s*ParentCommandLine:</regex> > <order>status,user,url,data</order> > </decoder> > > However, when I remove the prepended data from my archives.log file and > send it through logtest, the decoder doesn't work (if I leave the prepended > data there, the decoder works). Any ideas why this might be happening? See > below for my logtest: > > *Prepended Data Removed:* > > **Phase 1: Completed pre-decoding. > full event: '2016 Jul 29 22:32:24 WinEvtLog: > Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: > Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: > {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: > C:\Users\administrator\Desktop\svchost.exe CommandLine: > "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: > C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: > {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b > TerminalSessionId: 1 IntegrityLevel: High Hashes: > MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: > {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: > C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' > hostname: 'ubuntu-srv1' > program_name: 'WinEvtLog' > log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: > Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: > {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: > C:\Users\administrator\Desktop\svchost.exe CommandLine: > "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: > C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: > {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b > TerminalSessionId: 1 IntegrityLevel: High Hashes: > MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: > {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: > C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' > > ***Phase 2: Completed decoding.* > * No decoder matched.* > > *Prepended Data Intact:* > > **Phase 1: Completed pre-decoding. > full event: '2016 Jul 29 22:32:25 (WIN7-X64-PC1) > 172.16.213.5->WinEvtLog 2016 Jul 29 22:32:24 WinEvtLog: > Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: > Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: > {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: > C:\Users\administrator\Desktop\svchost.exe CommandLine: > "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: > C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: > {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b > TerminalSessionId: 1 IntegrityLevel: High Hashes: > MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: > {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: > C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' > hostname: '(WIN7-X64-PC1)' > program_name: '(null)' > log: '172.16.213.5->WinEvtLog 2016 Jul 29 22:32:24 WinEvtLog: > Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: > Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: > {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: > C:\Users\administrator\Desktop\svchost.exe CommandLine: > "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: > C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: > {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b > TerminalSessionId: 1 IntegrityLevel: High Hashes: > MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: > {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: > C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' > > ***Phase 2: Completed decoding.* > * decoder: 'Sysmon-EventID#1'* > > > > > > On Friday, July 29, 2016 at 11:22:46 AM UTC-5, LostInThe Tubez wrote: >> >> Delving into Sysmon event log parsing reveals just how monumental a task >> it is to parse out useful information from Windows event logs. The >> challenge is that nearly each and every Event ID has a different log >> format, which essentially means that almost every Event ID needs its own >> decoder... I may be waxing a little dramatic here, but the point is that to >> properly parse Windows logs, the original decoder needs to be made more >> generic and LOTS more child decoders need to be developed. At least, that >> is the approach I took, personally. Maybe I’m totally off base. Been >> testing it for a few months and it seems to work OK, but I haven’t done any >> auditing to see if I’ve broken anything. Anyway, here’s what I did and what >> works for me at the moment. If you go this route, you’ll need to comment >> out the original windows decoder in /var/ossec/etc/decoder.xml (and >> whatever else sysmon-related might have made it in there since last I >> looked; I’m not running the latest beta). I put these in local_decoder.xml: >> >> >> >> <decoder name="windows"> >> >> <type>windows</type> >> >> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: >> |^WinEvtLog: </prematch> >> >> </decoder> >> >> >> >> <decoder name="windows-defaultlogs"> >> >> <parent>windows</parent> >> >> <type>windows</type> >> >> <use_own_name>true</use_own_name> >> >> <prematch offset="after_parent">^Application: |^Security: >> |^System: </prematch> >> >> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> >> >> <regex>(\.+): \.+: (\S+): </regex> >> >> <order>status, id, extra_data, user, system_name</order> >> >> <fts>name, location, user, system_name</fts> >> >> </decoder> >> >> >> >> <decoder name="windows-sysmon-eventID1"> >> >> <parent>windows</parent> >> >> <type>windows</type> >> >> <prematch >> offset="after_parent">^Microsoft-Windows-Sysmon/Operational: >> INFORMATION\(1\)</prematch> >> >> <regex >> offset="after_parent">^Microsoft-Windows-Sysmon/Operational: (\w+)\((\d)\): >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: (\S+): Process Create: \.+ >> ProcessId: \d+ Image: (\.*) CommandLine: \.*</regex> >> >> <regex> User: (\.*) LogonGuid: \S* LogonId: \S* >> TerminalSessionId: \d* IntegrityLevel: \w* Hashes: \w+=(\w*) >> ParentProcessGuid: \S* ParentProcessID: \S* ParentImage: (\.+)</regex> >> >> <order>status, id, system_name, dstuser, srcuser, url, >> extra_data, extra_data</order> >> >> </decoder> >> >> >> >> >> >> Put this in your local_rules.xml: >> >> <rule id="184600" level="1"> >> >> <if_sid>18101</if_sid> >> >> <id>^1$</id> >> >> <description>Sysmon Process Launch Event</description> >> >> </rule> >> >> >> >> If you haven’t done so already, it is always helpful to enable logall >> mode when you’re working on new decoders. This will retain a copy of every >> single log line sent to your OSSEC manager. In your ossec.conf on the >> manager, put <logall>yes</logall> in a global tag somewhere and restart the >> service. You will now have a record of all logs sent to the manager, not >> just those that generate alerts. The current day’s archival logs are in >> /var/ossec/logs/archives/archives.log. Note that in order to run these >> particular logs through ossec-logtest, you’ll need to remove a prepended >> bit of text. So, edit a log entry like this: >> >> >> >> 2016 Jul 29 08:33:17 (hostname) 100.200.123.123->WinEvtLog 2016 Jul 29 >> 08:36:08 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): >> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: >> hostname.subdomain.domain.tld: Process Create: UtcTime: 2016-07-29 >> 15:36:08.268 ProcessGuid: {A560AB96-77E8-579B-0000-0010B7B17E50} >> ProcessId: 50292 Image: C:\Program Files (x86)\KeePass Password Safe >> 2\KeePass.exe CommandLine: "C:\Program Files (x86)\KeePass Password Safe >> 2\KeePass.exe" CurrentDirectory: C:\Program Files (x86)\KeePass Password >> Safe 2\ User: domain\username LogonGuid: >> {A560AB96-40DE-578E-0000-00209886AB02} LogonId: 0x2AB8698 >> TerminalSessionId: 1 IntegrityLevel: Medium Hashes: >> SHA1=5F5AC91EB83EFB6C4171AFF9EC1ED98EBA1C6A6C ParentProcessGuid: >> {A560AB96-40E0-578E-0000-0010285AAC02} ParentProcessId: 7540 ParentImage: >> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE >> >> >> >> to become: >> >> 2016 Jul 29 08:36:08 WinEvtLog: Microsoft-Windows-Sysmon/Operational: >> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: >> hostname.subdomain.domain.tld: Process Create: UtcTime: 2016-07-29 >> 15:36:08.268 ProcessGuid: {A560AB96-77E8-579B-0000-0010B7B17E50} >> ProcessId: 50292 Image: C:\Program Files (x86)\KeePass Password Safe >> 2\KeePass.exe CommandLine: "C:\Program Files (x86)\KeePass Password Safe >> 2\KeePass.exe" CurrentDirectory: C:\Program Files (x86)\KeePass Password >> Safe 2\ User: domain\username LogonGuid: >> {A560AB96-40DE-578E-0000-00209886AB02} LogonId: 0x2AB8698 >> TerminalSessionId: 1 IntegrityLevel: Medium Hashes: >> SHA1=5F5AC91EB83EFB6C4171AFF9EC1ED98EBA1C6A6C ParentProcessGuid: >> {A560AB96-40E0-578E-0000-0010285AAC02} ParentProcessId: 7540 ParentImage: >> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE >> >> >> >> before copy/pasting into ossec-logtest. This is the best way to go about >> testing an eventchannel log. You get to see exactly what is decoded and >> which rules are triggered. >> >> >> >> >> >> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On >> Behalf Of *Craig >> *Sent:* Thursday, July 28, 2016 8:24 PM >> *To:* ossec-list <ossec...@googlegroups.com> >> *Subject:* [ossec-list] eventchannel decoder testing >> >> >> >> I am currently running 2.9RC2 on both client and server: >> >> >> >> What is the best way to go about testing an eventchannel log? I have the >> following set in my local ossec.conf on my windows agent: >> >> >> >> <localfile> >> >> <location>Microsoft-Windows-Sysmon/Operational</location> >> >> <log_format>eventchannel</log_format> >> >> </localfile> >> >> >> >> I am using the default sysmon decoder included on my server: >> >> >> >> <decoder name="Sysmon-EventID#1"> >> >> <type>windows</type> >> >> <prematch>INFORMATION\(1\)</prematch> >> >> <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: >> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* >> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: >> \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) >> \s*ParentCommandLine:</regex> >> >> <order>status,user,url,data</order> >> >> </decoder> >> >> >> >> I modified the default sysmon rule so that I would capture all process >> creates by setting the level to 1: >> >> >> >> <rule id="184700" level="1"> >> >> <if_sid>18100</if_sid> >> >> <description>Sysmon - Process Create Event</description> >> >> </rule> >> >> >> >> >> >> I would think that i would now see all process creates in my alerts.log >> but unfortunately I don't see any sysmon events at all. Any idea on the >> best way to troubleshoot this? Thank you! >> >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.