Re: [ossec-list] Re: windows malware detection

[林威任]

And, my agent is w7.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[林威任]

This code is my win_malware_rcl.txt:

[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851]
f:C:\Users\agent05\AppData\Local\Temp\AcroRD32.exe;

r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft\Windows\CurrentVersion\Run
 
-> Acroread-> r:AcroRD32.exe;
p:r:AcroRD32.exe;

Thank you

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[林威任]

This code is my win_malware_rcl.txt:

[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851]
f:C:\Users\agent05\AppData\Local\Temp\AcroRD32.exe;

r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft
\Windows\CurrentVersion\Run -> Acroread
-> r:AcroRD32.exe;
p:r:AcroRD32.exe;

Thank you

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[林威任]

This code is my win_malware_rcl.txt:

[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851]
f:C:\Users\agent05\AppData\Local\Temp\AcroRD32.exe; 
r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft 
\Windows\CurrentVersion\Run -> Acroread -> r:AcroRD32.exe; p:r:AcroRD32.exe;
Thank you

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[Santiago Bassett]

Where are you including the configuration? That should go in the file:

/var/ossec/etc/shared/win_malware_rcl.txt

Please paste the contents of that file.

Thank you

On Mon, Mar 14, 2016 at 11:12 PM, 林威任  wrote:

> sorry,this email is google apps for education.
> About my email,I use hnagouts to send you, is it ok?
> And,This is my agent's log file:
> 016/03/15 14:07:44 ossec-agent: INFO: Started (pid: 3760).
> 2016/03/15 14:07:45 ossec-agent(4102): INFO: Connected to the server (
> 192.168.164.142:1514
> 
> ).
> 2016/03/15 14:07:45 ossec-agent: INFO: System is Vista or newer (Microsoft
> Windows 7 Ultimate Edition Professional Service Pack 1 (Build 7601) - OSSEC
> HIDS v2.8.3).
> 2016/03/15 14:07:45 ossec-agent(1951): INFO: Analyzing event log:
> 'Application'.
> 2016/03/15 14:07:45 ossec-agent(1951): INFO: Analyzing event log:
> 'Security'.
> 2016/03/15 14:07:45 ossec-agent(1951): INFO: Analyzing event log: 'System'.
> 2016/03/15 14:07:45 ossec-agent: INFO: Started (pid: 3760).
> 2016/03/15 14:08:44 ossec-agent: INFO: Starting syscheck scan (forwarding
> database).
> 2016/03/15 14:08:44 ossec-agent: INFO: Starting syscheck database
> (pre-scan).
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\boot.ini': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/CONFIG.NT': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/debug.exe': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/drwatson.exe': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/drwtsn32.exe': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/edlin.exe': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/eventtriggers.exe': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/rcp.exe': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/rexec.exe': No such file or directory
> 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/rsh.exe': No such file or directory
> 2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/telnet.exe': No such file or directory
> 2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/tftp.exe': No such file or directory
> 2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory:
> 'C:\Windows/System32/tlntsvr.exe': No such file or directory
> 2016/03/15 14:08:46 ossec-agent: INFO: Initializing real time file
> monitoring (not started).
> 2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory:
> 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such
> file or directory
> 2016/03/15 14:08:46 ossec-agent: INFO: Real time file monitoring started.
> 2016/03/15 14:08:46 ossec-agent: INFO: Finished creating syscheck database
> (pre-scan completed).
> 2016/03/15 14:08:56 ossec-agent: INFO: Ending syscheck scan (forwarding
> database).
> 2016/03/15 14:09:16 ossec-agent: INFO: Starting rootcheck scan.
> 2016/03/15 14:09:16 ossec-agent(1252): ERROR: Invalid rk configuration
> value: '[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] '.
> 2016/03/15 14:09:22 ossec-agent: INFO: Ending rootcheck scan.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[林威任]

sorry,this email is google apps for education.
About my email,I use hnagouts to send you, is it ok?
And,This is my agent's log file:
016/03/15 14:07:44 ossec-agent: INFO: Started (pid: 3760).
2016/03/15 14:07:45 ossec-agent(4102): INFO: Connected to the server (
192.168.164.142:1514 

).
2016/03/15 14:07:45 ossec-agent: INFO: System is Vista or newer (Microsoft 
Windows 7 Ultimate Edition Professional Service Pack 1 (Build 7601) - OSSEC 
HIDS v2.8.3).
2016/03/15 14:07:45 ossec-agent(1951): INFO: Analyzing event log: 
'Application'.
2016/03/15 14:07:45 ossec-agent(1951): INFO: Analyzing event log: 
'Security'.
2016/03/15 14:07:45 ossec-agent(1951): INFO: Analyzing event log: 'System'.
2016/03/15 14:07:45 ossec-agent: INFO: Started (pid: 3760).
2016/03/15 14:08:44 ossec-agent: INFO: Starting syscheck scan (forwarding 
database).
2016/03/15 14:08:44 ossec-agent: INFO: Starting syscheck database 
(pre-scan).
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\boot.ini': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/CONFIG.NT': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/AUTOEXEC.NT': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/debug.exe': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/drwatson.exe': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/drwtsn32.exe': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/edlin.exe': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/eventtriggers.exe': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/rcp.exe': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/rexec.exe': No such file or directory 
2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/rsh.exe': No such file or directory 
2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/telnet.exe': No such file or directory 
2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/tftp.exe': No such file or directory 
2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/tlntsvr.exe': No such file or directory 
2016/03/15 14:08:46 ossec-agent: INFO: Initializing real time file 
monitoring (not started).
2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory: 
'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such 
file or directory 
2016/03/15 14:08:46 ossec-agent: INFO: Real time file monitoring started.
2016/03/15 14:08:46 ossec-agent: INFO: Finished creating syscheck database 
(pre-scan completed).
2016/03/15 14:08:56 ossec-agent: INFO: Ending syscheck scan (forwarding 
database).
2016/03/15 14:09:16 ossec-agent: INFO: Starting rootcheck scan.
2016/03/15 14:09:16 ossec-agent(1252): ERROR: Invalid rk configuration 
value: '[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] '.
2016/03/15 14:09:22 ossec-agent: INFO: Ending rootcheck scan.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[Santiago Bassett]

your emails are very difficult to understand. Please explain better and
give some more context.

Thank you

On Mon, Mar 14, 2016 at 8:59 PM, 林威任  wrote:

> Excuse me,
> (Windows Malware: Trojan Dropper.
> File: C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe. Reference:
> 0A37D49E798F50C8F1010D5CFDE0E851 )
> After I edited win_malware_rcl.txt , this code didn't appear.
> However,which aspect haven't I  done?
> thank you!!!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[林威任]

Excuse me, 
(Windows Malware: Trojan Dropper.
File: C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe. Reference: 
0A37D49E798F50C8F1010D5CFDE0E851 )
After I edited win_malware_rcl.txt , this code didn't appear.
However,which aspect haven't I  done?
thank you!!!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[Santiago Bassett]

It looks like the configuration for rootcheck doesn't have the right
format. I think you are inserting some extra line breaks.

It should look like this:

[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851]
f:C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe;
r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft\Windows\CurrentVersion\Run
-> Acroread -> r:AcroRD32.exe;
p:r:AcroRD32.exe;

On Mon, Mar 14, 2016 at 6:17 AM, 林威任  wrote:

> Excuse me, I want to ask something.
> Why it don't  appear ideal result after I input the code ?
> code:
> [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851]
> f:C:\Users\agent05\AppData\Local\Temp\AcroRD32.exe;
> r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft
> \Windows\CurrentVersion\Run -> Acroread -> r:AcroRD32.exe; p:r:AcroRD32.exe;
> my virtual machine's result:
> ERROR: Invalid rk configuration value: '[Trojan Dropper] [all]
> [0A37D49E798F50C8F1010D5CFDE0E851]
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[林威任]

Excuse me, I want to ask something.
Why it don't  appear ideal result after I input the code ?
code:
[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] 
f:C:\Users\agent05\AppData\Local\Temp\AcroRD32.exe; 
r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft 
\Windows\CurrentVersion\Run -> Acroread -> r:AcroRD32.exe; p:r:AcroRD32.exe;
my virtual machine's result:
ERROR: Invalid rk configuration value: '[Trojan Dropper] [all] 
[0A37D49E798F50C8F1010D5CFDE0E851]

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[林威任]

Excuse me, I want to ask something.
Why it don't  appear ideal result after I input the code ?
code:
[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] 
f:C:UsersIEUserAppDataLocalTempAcroRD32.exe; 
r:HKEY_USERSS-1-5-21-3463664321-2923530833-3546627382-1000 
SoftwareMicrosoftWin$ p:r:AcroRD32.exe;
my result:
[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] 
f:C:UsersIEUserAppDataLocalTempAcroRD32.exe; 
r:HKEY_USERSS-1-5-21-3463664321-2923530833-3546627382-1000 
SoftwareMicrosoftWin$ p:r:AcroRD32.exe;

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[林威任]

Thank you very much!!!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[Santiago Bassett]

Here you go (just created the github repo)

https://github.com/santiago-bassett/malware-samples/blob/master/0A37D49E798F50C8F1010D5CFDE0E851.zip

Password: "malware"


On Sun, Mar 13, 2016 at 10:20 PM,  wrote:

> I really need it.
> How can I get it ? for email?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[m0361001]

I really need it.
How can I get it ? for email?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: windows malware detection

[Santiago Bassett]

Hi, are you looking fore the malware sample I used in the presentation?
(hash  0A37D49E798F50C8F1010D5CFDE0E851)

I still have it if you need it.

Best

On Tue, Mar 8, 2016 at 10:37 PM,  wrote:

> I has written this code so far.
>
> [Trojan Downloader] [all] [016eb36cc03a562545f0b3bed36f49a6]
> f:C:%WINDIR%\System32\trojan\trojan12.exe;
> r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion;
> p:r:trojan12.exe;
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: windows malware detection

[m0361001]

I has written this code so far.

[Trojan Downloader] [all] [016eb36cc03a562545f0b3bed36f49a6] 
f:C:%WINDIR%\System32\trojan\trojan12.exe; 
r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; 
p:r:trojan12.exe;

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows Malware Detection

[林威任]

ok, I  will try this method and watch this website.Thank you very much.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows Malware Detection

[Jesus Linares]

Hi,

if you want to use Sysmon + OSSEC, here 
you
 
have decoders for every Sysmon event:

   - Event ID 1: Process Created
   - Event ID 2: A process changed a file creation time
   - Event ID 3: Network connection
   - Event ID 4: Sysmon service state changed
   - Event ID 5: Process terminated
   - Event ID 6: Driver loaded
   - Event ID 7: Image loaded
   - Event ID 8: CreateRemoteThread
   
Also, take a look at sysmon rules included by default in OSSEC.



On Thursday, January 14, 2016 at 2:58:56 PM UTC+1, Brent Morris wrote:
>
>
> http://santi-bassett.blogspot.com/2014/09/osseccon-2014-malware-detection-with.html
>
> Another option would be to glean the SHA1 values of malware, and create 
> and use the Sysmon blacklist.  But automating a blacklist of SHA1 values 
> for malware, using Sysmon and a CDB list in OSSEC would be a method worth 
> considering.  This wouldn't work with the win_malware_rcl.txt and using 
> IOCs from that angle.
>
> On Friday, January 8, 2016 at 4:05:40 AM UTC-8, 林威任 wrote:
>>
>> Hello,I has installed the server and agent of ossec.
>> I want to use OSSEC to detect malware on windows systems,
>> so I must add some codes to the win_malware_rcl.txt.
>> Then, I can analyse the logs file produced.
>> ps: this used by research.
>> Please give me some ideas.
>> Thank you very much.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows Malware Detection

[Brent Morris]

http://santi-bassett.blogspot.com/2014/09/osseccon-2014-malware-detection-with.html

Another option would be to glean the SHA1 values of malware, and create and 
use the Sysmon blacklist.  But automating a blacklist of SHA1 values for 
malware, using Sysmon and a CDB list in OSSEC would be a method worth 
considering.  This wouldn't work with the win_malware_rcl.txt and using 
IOCs from that angle.

On Friday, January 8, 2016 at 4:05:40 AM UTC-8, 林威任 wrote:
>
> Hello,I has installed the server and agent of ossec.
> I want to use OSSEC to detect malware on windows systems,
> so I must add some codes to the win_malware_rcl.txt.
> Then, I can analyse the logs file produced.
> ps: this used by research.
> Please give me some ideas.
> Thank you very much.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.