It seems the output of ossec-logtest is cut in the previous post. I paste
it here again:
2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1
.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846
ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image:
C:\Users\administrator\Desktop\svchost.exe CommandLine:
"C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\
administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4-
1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1
IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076
ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId:
3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\
Explorer.EXE
**Phase 1: Completed pre-decoding.
full event: '2016 Jul 29 22:32:24 WinEvtLog:
Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid:
{67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image:
C:\Users\administrator\Desktop\svchost.exe CommandLine:
"C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory:
C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid:
{67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
TerminalSessionId: 1 IntegrityLevel: High Hashes:
MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid:
{67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage:
C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
hostname: 'ip-10-0-0-10'
program_name: '(null)'
log: '2016 Jul 29 22:32:24 WinEvtLog:
Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid:
{67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image:
C:\Users\administrator\Desktop\svchost.exe CommandLine:
"C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory:
C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid:
{67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
TerminalSessionId: 1 IntegrityLevel: High Hashes:
MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid:
{67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage:
C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'C:\Users\administrator\Desktop\svchost.exe'
dstuser: 'HACKME\Administrator'
url: 'C019D10F80409FC4C7D45EBFA48B0076'
extra_data: 'C:\Windows\explorer.exe'
**Phase 3: Completed filtering (rules).
Rule id: '184666'
Level: '12'
Description: 'Sysmon - Suspicious Process - svchost.exe'
You can find decoders for all sysmon events here
<https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L197>
.
Regards.
On Monday, August 1, 2016 at 9:46:31 AM UTC+2, Jesus Linares wrote:
>
> Hi Craig,
>
> the raw event is:
> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
> PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846
> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988
> Image: C:\Users\administrator\Desktop\svchost.exe CommandLine:
> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\
> administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4-
> 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1
> IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076
> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId
> : 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\
> Windows\Explorer.EXE
>
> but, OSSEC adds a header in archives.log:
>
> *2016 Jul 29 22:32:25 (WIN7-X64-PC1) 172.16.213.5->WinEvtLog *2016 Jul 29
> 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
> Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4-
> 1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\
> administrator\Desktop\svchost.exe CommandLine:
> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\
> administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4-
> 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1
> IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076
> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId
> : 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\
> Windows\Explorer.EXE
>
>
> So, you must always use *ossec-logtest* without headers:
> 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-
> PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846
> ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988
> Image: C:\Users\administrator\Desktop\svchost.exe CommandLine:
> "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\
> administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4-
> 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1
> IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076
> ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId
> : 3056<sp
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
