Closed S3COPS closed 3 years ago
The Raccine_log.txt file has more information than is provided to the Windows Event Log. Can we add the additional Image details to the Application Event, to allow for better quality information to a SIEM
Sample of Windows Event:
"Raccine detected malicious activity: vssadmin delete shadows (simulation mode)"
Sample of equivalent raccine_log.txt:
2020-11-01 10:53:09 DETECTED_CMD: 'vssadmin.exe delete shadows COMMENT: Raccine detected malicious activity 2020-11-01 10:53:10 DETECTED_CMD: 'vssadmin.exe delete shadows ' IMAGE: 'explorer.exe' PID: 3312 ACTION: Whitelisted 2020-11-01 10:53:10 DETECTED_CMD: 'vssadmin.exe delete shadows ' IMAGE: '(unavailable)' PID: 3012 ACTION: Terminated 2020-11-01 10:53:10 DETECTED_CMD: 'vssadmin.exe delete shadows ' IMAGE: 'cmd.exe' PID: 7212 ACTION: Terminated
I am preparing a PR with these details:
I created PR https://github.com/Neo23x0/Raccine/pull/101 for this.
The Raccine_log.txt file has more information than is provided to the Windows Event Log. Can we add the additional Image details to the Application Event, to allow for better quality information to a SIEM
Sample of Windows Event:
"Raccine detected malicious activity: vssadmin delete shadows (simulation mode)"
Sample of equivalent raccine_log.txt:
2020-11-01 10:53:09 DETECTED_CMD: 'vssadmin.exe delete shadows COMMENT: Raccine detected malicious activity 2020-11-01 10:53:10 DETECTED_CMD: 'vssadmin.exe delete shadows ' IMAGE: 'explorer.exe' PID: 3312 ACTION: Whitelisted 2020-11-01 10:53:10 DETECTED_CMD: 'vssadmin.exe delete shadows ' IMAGE: '(unavailable)' PID: 3012 ACTION: Terminated 2020-11-01 10:53:10 DETECTED_CMD: 'vssadmin.exe delete shadows ' IMAGE: 'cmd.exe' PID: 7212 ACTION: Terminated