Rob, Just a tip If you have virtual box or VMware, throw a Manager on their and use it to test your rules and decoders. You can just paste the log into ossec-logtest. It will sure save you a lot of heartache when troubleshooting.
Hope that helps On Monday, April 25, 2016 at 10:13:13 AM UTC-4, Rob B wrote: > > dang good idea! thanks dan! > > On Monday, April 25, 2016 at 9:35:20 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Apr 22, 2016 at 4:16 PM, Rob B <[email protected]> wrote: >> > Hello All, >> > >> > Does anyone have a decoder for Windows Defender floating around out >> > there?? >> > >> > Im having a heck of a time... Here is the event channel event example >> if >> > anyone is curious or can help: (Win10 box) >> > >> >> The easiest way to provide log samples that can be turned into >> decoders and rules is to turn on the logall option, and grab the logs >> from /var/ossec/logs/archives/archives.log on the manager. >> >> > Log Name: Microsoft-Windows-Windows Defender/Operational >> > Source: Microsoft-Windows-Windows Defender >> > Date: 4/22/2016 4:05:17 PM >> > Event ID: 1116 >> > Task Category: None >> > Level: Warning >> > Keywords: >> > User: SYSTEM >> > Computer: VICTIM0 >> > Description: >> > Windows Defender has detected malware or other potentially unwanted >> > software. >> > For more information please see the following: >> > >> http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0 >> >> > Name: Trojan:Win32/Bagsu!rfn >> > ID: 2147694406 >> > Severity: Severe >> > Category: Trojan >> > Path: >> > >> containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe) >> >> >> > Detection Origin: Network share >> > Detection Type: Concrete >> > Detection Source: Real-Time Protection >> > User: frog >> > Process Name: C:\Windows\explorer.exe >> > Signature Version: AV: 1.217.2054.0, AS: 1.217.2054.0, NIS: 115.8.0.0 >> > Engine Version: AM: 1.1.12603.0, NIS: 2.1.11804.0 >> > >> > Event Xml: >> > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> >> > <System> >> > <Provider Name="Microsoft-Windows-Windows Defender" >> > Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" /> >> > <EventID>1116</EventID> >> > <Version>0</Version> >> > <Level>3</Level> >> > <Task>0</Task> >> > <Opcode>0</Opcode> >> > <Keywords>0x8000000000000000</Keywords> >> > <TimeCreated SystemTime="2016-04-22T20:05:17.551083000Z" /> >> > <EventRecordID>95</EventRecordID> >> > <Correlation ActivityID="{ECC2B320-F9A6-41AD-9F17-5C9EE24D3330}" /> >> > <Execution ProcessID="2332" ThreadID="4540" /> >> > <Channel>Microsoft-Windows-Windows Defender/Operational</Channel> >> > <Computer>VICTIM0</Computer> >> > <Security UserID="S-1-5-77" /> >> > </System> >> > <EventData> >> > <Data Name="Product Name">%%827</Data> >> > <Data Name="Product Version">4.9.10586.0</Data> >> > <Data Name="Detection >> ID">{CAADD684-36C9-444B-8A6D-8CE537A93E40}</Data> >> > <Data Name="Detection Time">2016-04-22T20:04:40.369Z</Data> >> > <Data Name="Unused"> >> > </Data> >> > <Data Name="Unused2"> >> > </Data> >> > <Data Name="Threat ID">2147694406</Data> >> > <Data Name="Threat Name">Trojan:Win32/Bagsu!rfn</Data> >> > <Data Name="Severity ID">5</Data> >> > <Data Name="Severity Name">Severe</Data> >> > <Data Name="Category ID">8</Data> >> > <Data Name="Category Name">Trojan</Data> >> > <Data >> > Name="FWLink"> >> http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bagsu!rfn&threatid=2147694406&enterprise=0</Data> >> >> >> > <Data Name="Status Code">1</Data> >> > <Data Name="Status Description"> >> > </Data> >> > <Data Name="State">1</Data> >> > <Data Name="Source ID">3</Data> >> > <Data Name="Source Name">%%818</Data> >> > <Data Name="Process Name">C:\Windows\explorer.exe</Data> >> > <Data Name="Detection User">frog</Data> >> > <Data Name="Unused3"> >> > </Data> >> > <Data >> > >> Name="Path">containerfile:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe;file:_\\10.0.1.10\share\Malware_For_Demo\REAL_BAD_Malz2\Server.exe->(VFS:svchost.exe)</Data> >> >> >> > <Data Name="Origin ID">2</Data> >> > <Data Name="Origin Name">%%846</Data> >> > <Data Name="Execution ID">1</Data> >> > <Data Name="Execution Name">%%813</Data> >> > <Data Name="Type ID">0</Data> >> > <Data Name="Type Name">%%822</Data> >> > <Data Name="Pre Execution Status">0</Data> >> > <Data Name="Action ID">9</Data> >> > <Data Name="Action Name">%%887</Data> >> > <Data Name="Unused4"> >> > </Data> >> > <Data Name="Error Code">0x00000000</Data> >> > <Data Name="Error Description">The operation completed >> successfully. >> > </Data> >> > <Data Name="Unused5"> >> > </Data> >> > <Data Name="Post Clean Status">0</Data> >> > <Data Name="Additional Actions ID">0</Data> >> > <Data Name="Additional Actions String">No additional actions >> > required</Data> >> > <Data Name="Remediation User"> >> > </Data> >> > <Data Name="Unused6"> >> > </Data> >> > <Data Name="Signature Version">AV: 1.217.2054.0, AS: 1.217.2054.0, >> NIS: >> > 115.8.0.0</Data> >> > <Data Name="Engine Version">AM: 1.1.12603.0, NIS: >> 2.1.11804.0</Data> >> > </EventData> >> > </Event> >> > >> > >> > Thanks!, Rob >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
